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NATURE OF THE ACTION 

1. This class action arises from AT&T’s' knowing, systematic, and unauthorized 
sale of its wireless phone customers’ sensitive location data. Despite vowing to its customers 
that it does not “sell [their] Personal Information to anyone for any purpose,”^ AT&T has been 
selling its customers’ real-time location data to credit agencies, bail bondsmen, and countless 
other third parties without the required customer consent and without any legal authority. 
AT&T’s practice is an egregious and dangerous breach of Plaintiffs’ and all AT&T customers’ 
privacy, as well as a violation of state and federal law. 

2. Asa telecommunications carrier, AT&T is entrusted with real-time location data 
so that it can help 911 operators find its customers in the event of an emergency. Underlying this 
911 data is a powerful, highly precise technology that can locate callers within a building, to the 
floor or even room level. This real-time location data is highly sensitive and can reveal where 
any AT&T customer is located—often within just a few meters—in seconds. 

3. This precise, real-time location data is intended solely for public safety uses. 
Plaintiffs and other AT&T customers have no ability to opt out of its collection. This data was 
never intended for broad commercial purposes. To the contrary, federal law requires AT&T to 
protect and safeguard its customers’ sensitive data, and mandates that AT&T not allow third 
parties to use or access customers’ geolocation information except in rare public safety scenarios 
or with the customer’s affirmative, express consent. 

4. AT&T has knowingly breached its duties to protect Plaintiffs’ sensitive location 
data in order to profit from it. Despite the recognized sensitivity of location data and AT&T’s 
obligations and promises to safeguard it, AT&T has been allowing unauthorized access to its 
customers’ precise, real-time location data to thousands of third parties for years. AT&T works 
with location data aggregator companies which specialize in the commercial sale of location data 
for widespread purposes. AT&T uses these aggregators, including Aggregator Defendants 


^ Defined herein to include defendants AT&T Services, Inc., AT&T Mobility LLC, and AT&T 
Inc. 

^ AT&T, “Privacy Policy,” attached hereto as Ex. A. 
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LocationSmart and Zumigo, to manage the sale of its data to thousands of entities—including bail 
bondsmen, bounty hunters, and prison officials—who routinely access and use the data without 
customer knowledge or consent, and without any emergency 911 basis. 

5. Defendants’ practices allow Plaintiffs and other AT&T customers to be tracked 
and targeted by u nkn own third parties without their knowledge. AT&T leverages the technology 
embedded within a customer’s phone and its own network infrastructure to locate its customers 
without any indication that AT&T is tracking them in order to sell their precise location to third 
parties for non-911 purposes. Indeed, AT&T’s practices were only publicly exposed after an FBI 
investigation revealed that a sheriff in Missouri had used carrier location data to stalk a Circuit 
Court Judge and fellow law enforcement officers without their knowledge or consent and without 
any legal authority to do so. This highly sensitive data has also been used to harass AT&T 
customers and bypass the rights afforded by the Fourth Amendment. 

6. Defendants’ sale of their customers’ real-time location data is a violation of 
Plaintiffs’ reasonable expectations of privacy. Plaintiffs’ expectation is reflected in widely held 
social norms and enshrined in state and federal law, including in the federal Communications 
Act, which requires AT&T to protect customers’ location data precisely because it is in a 
privileged position to know this information as a byproduct of operating a cellular phone service. 
AT&T’s repeated promises to customers that it would safeguard the data from unauthorized 
access and would not sell it only heightens the outrageousness of AT&T’s conduct. 

7. As Federal Communications Commission Commissioner Geoffrey Starks 
explained in February 2019, “It is absolutely chilling to thi nk that a stranger can buy access to 
exactly where we are at any given moment by tapping into the data on our phones without our 
consent. And, now I am hearing allegations that consumers’ GPS data—data so accurate that it 
can pinpoint your location the floor of a building you are in—is also available for sale. It isn’t 
difficult to imagine intrusive or even downright dangerous uses of this data.”^ 


^ See Email from Michael Scurato (FCC) to Joseph Cox (Motherboard) (Feb. 4, 2019), attached 
hereto as Ex. B. 
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8. Plaintiffs Katherine Scott, Carolyn Jewel, and George Pontis are California 
residents and AT&T wireless customers. Plaintiffs were unaware of and never consented to 
Defendants’ sale of their real-time location data. To the contrary. Plaintiffs had the reasonable 
expectation that their sensitive, real-time location data would be protected and safeguarded by 
AT&T, pursuant to federal and state law and AT&T’s own promises. 

9. Thus, entrusted with its customers’ sensitive real-time location data for 911 
purposes, and having promised to safeguard that data, AT&T decided instead to profit from that 
information. It quietly sold its customers’ real-time location data to third-party aggregators 
knowing that once sold, that sensitive location data would later enter the marketplace where it 
could be used for nefarious purposes. AT&T’s conduct is reprehensible and must be stopped. 
AT&T must be held accountable. 

I. THE PARTIES 

A, The Plaintiffs 

10. Plaintiff Katherine Scott is an active, paying AT&T wireless customer. She is, 
and at all relevant times was, a resident of Santa Cruz, California. Plaintiff Scott joined AT&T 
approximately nine years ago while residing in California. She pays AT&T every month for her 
personal wireless cell phone account, which includes a fee for a limited amount of mobile data 
per month. Plaintiff Scott did not—and could not— kn ow that AT&T would sell access to her 
real-time location data to third parties, and she at all times expected AT&T to abide by federal 
and state laws concerning its privacy practices. Plaintiff Scott relied on AT&T’s representations 
about its privacy and security policies, and she would not have signed up for AT&T’s wireless 
service, or would have paid less for the service, had she known about the acts and omissions 
described herein. 

11. Plaintiff Carolyn Jewel is an active, paying AT&T wireless customer. She is, and 
at all relevant times was, a resident of Petaluma, California. Plaintiff Jewel is a long-time AT&T 
wireless subscriber. She originally signed up for wireless service with Cellular One in 1999 
while residing in California. By May 2006, she was billed by and paid her wireless bills to 

Cingular, following changes in corporate ownership. By April 2007, she was billed by and paid 

_^ 3 ^_ 
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her wireless bills to AT&T. Plaintiff Jewel does not reeall ever signing any eontract with AT&T 
following the change in corporate ownership, but has reviewed AT&T’s privacy policy, including 
AT&T’s representations about its data privacy and data sale practices. She pays AT&T every 
month for her personal wireless cell phone account. Plaintiff Jewel did not—and could not— 
know that AT&T would sell access to her real-time location data to third parties, and she at all 
times expected AT&T to abide by federal and state laws concerning its privacy practices. 

Plaintiff Jewel relied on AT&T’s representations about its privacy and security policies, and she 
would not have signed up for AT&T’s wireless service, or would have paid less for the service, 
had she known about the acts and omissions described herein. 

12. Plaintiff George Pontis is an active, paying AT&T wireless customer. He is, and 
at all relevant times was, a resident of San Mateo County, California. Plaintiff Pontis is a long¬ 
time AT&T wireless subscriber. He originally signed up for wireless service with Cingular 
Wireless while residing in California. Cingular Wireless later became a part of AT&T. Plaintiff 
Pontis does not recall ever signing any contract with AT&T following the change in corporate 
ownership, but relied on AT&T’s representations about its data privacy and data sale practices in 
maintaining his AT&T account. He pays AT&T every month for his personal wireless cell phone 
account, which includes a fee for a limited amount of mobile data per month. Plaintiff Pontis did 
not—and could not— kn ow that AT&T would sell access to his real-time location data to third 
parties, and he at all times expected AT&T to abide by federal and state laws concerning its 
privacy practices. He would not have signed up for AT&T’s wireless service, or would have 
changed the way he used his phone or paid less for the service, had he known about the acts and 
omissions described herein. 

B, The AT&T Defendants 

13. Defendant AT&T Inc. is a Delaware corporation with its principal office or place 
of business in Dallas, Texas. AT&T Inc. transacts or has transacted business in this District and 
throughout the United States. It is the second largest wireless carrier in the United States, with 
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more than 153 million subscribers, earning $160 billion in total operating revenues in 2017 and 
$170 billion in 2018. As of December 2017, AT&T had 1,470 retail locations in California."^ 

14. Defendant AT&T Inc. provides mobile wireless telecommunication services and 
sells mobile wireless handsets to California consumers, including Plaintiffs, through AT&T Inc. 
and its wholly owned subsidiaries, including Defendants AT&T Services, Inc. and AT&T 
Mobility LLC. 

15. Defendant AT&T Services, Inc. is a Delaware corporation with its principal office 
or place of business in Dallas, Texas. AT&T Services, Inc. transacts or has transacted business in 
this District and throughout the United States. 

16. AT&T Mobility, LLC is a Delaware limited liability corporation with its principal 
office or place of business in Brookhaven, Georgia. AT&T Mobility provides wireless service to 
subscribers in the United States, Puerto Rico, and the U.S. Virgin Islands. AT&T Mobility is a 
“common carrier” governed by the Federal Communications Act (“FCA”), 47 U.S.C. § 151 et 
seq. AT&T Mobility is regulated by the Federal Communications Commission (“FCC”) for its 
acts and practices, including those occurring in this District. AT&T Mobility LLC transacts or 
has transacted business in this District and throughout the United States. 

17. AT&T’s Mobility business unit “provides nationwide wireless services to 
consumers and wholesale and resale wireless subscribers located in the United States or U.S. 
territories” and the Mobility business unit accounted for $71 billion in revenue in 2017 and 
2018.^ 

18. AT&T’s 2018 Annual Report acknowledged that its “profits and cash flow are 
largely driven by [its] Mobility business” and “nearly half of [the] company’s EBITDA (earnings 
before interest, taxes, depreciation and amortization) comes from Mobility.”^ 

C, The Aggregator Defendants 

^ “About Us,” AT&T, available at https://engage.att.com/california/about-us/ . All URLs in this 
complaint were last accessed on July 9, 2019, unless otherwise noted. 

^ Id. 

^ “2018 Annual Report,” AT&T, available at https://investors.att.eom/~/media/Files/A/ATT- 
IR/financial-reports/annual-reports/2018/complete-2018-annual-report.pdf 
_ ^ 5 ^ _ 
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19. Defendants TechnoCom Corporation d/b/a LoeationSmart (hereafter, 
“LoeationSmart”) and Zumigo Inc. (hereafter, “Zumigo,” and together with LoeationSmart, 
“Aggregator Defendants”) are location data aggregators, companies that specialize in the 
aggregation and sale of location data for myriad commercial purposes. AT&T used 
LoeationSmart and Zumigo to manage the buying and selling of its customers’ real-time location 
data. ^ 

20. LoeationSmart is a division of Defendant TechnoCom Corporation (hereafter, 
“LoeationSmart”). ^ TechnoCom Corporation is a Delaware corporation, headquartered in 
Carlsbad, California. 

21. LoeationSmart advertises itself as a “a comprehensive location platform[.]”^ In 
2015, LoeationSmart merged with Locaid, which was marketed at the time as “the world’s 
largest Location-as-a-Service platform for enterprise location!.]” Location-as-a-Service refers 
to a “location data delivery model where privacy protected physical location data acquired 
through multiple sources including carriers, Wi-Fi, IP addresses and landlines is available to 
enterprise customers!.]” LoeationSmart and Locaid now operate under the LoeationSmart 
brand, which advertises itself as the “world’s largest location-as-a-service company.” 

22. LoeationSmart, as a location data aggregator, compiles location information from 
numerous sources for use by LoeationSmart’s customers. On its website, LoeationSmart 
advertised that it obtains location data from more than 175 million devices through wireless 


^ Letter from Timothy McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (Feb. 15, 
2019), available at https://www.documentcloud.org/documents/5767087-AT-T-Response-to- 
Wvden-on-Phone-Location-Data.html . 

* “TechnoCom Rebrands Platform as LoeationSmart,” LoeationSmart (April 16, 2012), available 
at https://www.locationsmart.com/companv/news/technocom-rebrands-platform-as- 

locationsmart. 

^ “Home,” LoeationSmart, available at https://www.locationsmart.com/ . 

“LoeationSmart and Locaid Announce Merger,” LoeationSmart (Feb. 26, 2015), available at 
https://www.locationsmart.coin/companv/news/locationsmart-and-locaid-announce-merger . 

“Location as a Service,” Wikipedia, available at 
https://en.wikipedia.org/wiki/Location as a service . 

“Location Intelligence,” LoeationSmart (accessed May 9, 2019), available at 
https://www.locationsmart.com/platform/location . 
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carriers, and supplements that location data using 1.8 billion WiFi access points, GPS data, three 
billion IP addresses, and 3.2 billion browsers. LoeationSmart advertises to its customers that 
they can use this information data for various purposes, including “retail, financial services, 
contact centers, logistics and supply chain, transportation, gaming and roadside assistance among 
others.”'^ 

23. LocationSmart’s relationship with AT&T is critieal to LoeationSmart’s business 
model, as it provides LoeationSmart with direct access to AT&T eustomers’ location data. In 
May 2018, LoeationSmart stated that it could “deliver aceess to more than 400 million mobile 
devices across the eountry, reach to over 95 percent of U.S. wireless subscribers and coverage for 
over 100 million landlines as a result of direct connections with all major carriers. Carrier 
Network Location allows enterprises to reach all devices with eellular data connections and this 
includes everything from smartphones and feature phones to tablets and M2M modules.”'^ 

24. Upon information and belief, AT&T gave LoeationSmart explicit and implied 
authority to act on AT&T’s behalf in accessing AT&T customers’ location data. 

25. LoeationSmart also works with carriers like AT&T to test, monitor, and report on 
location data accuracy for 911 emergency purposes. 

26. Defendant Zumigo is a California corporation headquartered in San Jose, 
California. Zumigo was founded in 2008 “with a mission to enable and seeure commerce using 
Mobile networks.” AT&T used Zumigo to manage the buying and selling of its eustomers’ real¬ 
time location data. 


Id. 

“LoeationSmart and Carrier Network Location,” LoeationSmart, available at 
https://www.locationsmart.com/resources/carrier-network-location . 

“Carrier Network Location Collateral,” LoeationSmart (arehived from May 12, 2018), 
attaehed hereto as Ex. C. 

“Carrier Services,” LoeationSmart, available at 
https://www.locationsmart.com/platform/carrier-services . 

Snehashis BChan, “Securing Transactions and Customer Applications Through Location,” 
Zumigo Inc. (Jan. 2017), available at 

https://geospatialworldforum.org/speaker/SpeakersImages/securing-transactions-and-customer- 

applications-through-location.pdf 

Letter from Timothy MeKone to U.S. Senator Ron Wyden (Feb. 15, 2019), supra at 7. 
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27. Critical to Zumigo’s business model is its direct access to AT&T customers’ 
location data. Zumigo markets itself as “a trusted partner of mobile providers, credit bureaus, 
financial institutions, and retail merchants” and advertises its ability to “[rjoute traffic over the 
cellular network” and utilize “realtime user identity information.” 

28. Upon information and belief, AT&T gave Zumigo explicit and implied authority 
to act on AT&T’s behalf in accessing AT&T customers’ location data. 

29. Each of the Aggregator Defendants work as an agent of AT&T. On information 
and belief, AT&T and each of the Aggregator Defendants has a relationship wherein AT&T has 
the right to control which third parties each Aggregator Defendant may provide with access to 
AT&T’s customer location data. On information and belief, AT&T gives each Aggregator 
Defendant the right to contract with third parties to aceess AT&T location data on AT&T’s 
behalf. 

30. AT&T, LocationSmart, and Zumigo are collectively referred to herein as 
“Defendants.” 

II. JURISDICTION AND VENUE 

31. This Court has jurisdiction over this matter under 28 U.S.C. § 1331 because this 
case arises under federal question jurisdiction under the Federal Communications Act (“FCA”). 
The Court has supplemental jurisdiction under 28 U.S.C. § 1367 over the state law claims 
because the claims are derived from a common nucleus of operative facts. The Court also has 
jurisdiction over this action pursuant to 28 U.S.C. § 1332 because this is a class action in which 
the matter or controversy exceeds the sum of $5,000,000, exclusive of interests and costs, and in 
which some members of the proposed Class are citizens of a different state than Defendants. 

32. This Court has personal jurisdiction over Defendants because Defendants 
purposefully direct their conduct at California, transact substantial business in California 
(including in this District), have substantial aggregate contacts with California (including in this 
District), engaged and are engaging in conduct that has and had a direct, substantial, reasonably 

“Company,” Zumigo, available at https://zumigo.com/companv/ . 

“Solutions,” Zumigo, available at https://zumigo.com/solutions/ . 
_ ^ 8 ^ _ 
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foreseeable, and intended effect of causing injury to persons throughout the United States, 
including those in California (including in this District), and purposely avail themselves of the 
laws of California. Each of the Plaintiffs paid for AT&T services within the state, and each was 
injured in California where they reside. AT&T had more than 33,000 employees in California as 
of 2017, and 1,470 retail locations in the state. Additionally, Defendants Zumigo and 
LocationSmart are headquartered in and/or have principal places of business in California. 

33. In accordance with 28 U.S.C. § 1391, venue is proper in this district because a 
substantial part of the conduct giving rise to Plaintiffs’ claims occurred in this District and 
Defendants transact business in this District. 

III. DIVISION ASSIGNMENT 

34. Pursuant to Civil L.R. 3-2(c), assignment to this Division is proper because a 
substantial part of the conduct which gives rise to Plaintiffs’ claims occurred in this District. 
Defendants market their products throughout the United States, including in San Francisco and 
Alameda counties. 

IV. ALLEGATIONS APPLICABLE TO ALL COUNTS 

A. AT&T Has Access to Its Customers’ Real-Time Location Data by Virtue of 
Operating a Mobile Cellular Pbone Network. 

35. By virtue of operating a mobile phone network, AT&T kn ows its customers’ real¬ 
time locations because it has to collect that information to provide service to its customers’ 
cellular phones. 

36. Cellular phone networks work by routing phone calls, text messages, and data for 
email messages, Internet browsing, mobile applications, and other operations from a network of 
fixed towers containing antennas to an individual customer’s cell phone. 

37. To receive information from fixed towers, cell phones scan their surroundings and 
connect with the towers providing the best signal, which are often the ones that are physically 
closest to the phones. 


“About Us,” AT&T, supra at 4. 
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38. Cell phones are designed to continuously scan and connect with the cell tower 
providing the best signal, and they perform this task in the background without the customer’s 
knowledge or direction. Each time a phone connects to a tower, there is a record created that 
details exactly when a particular cell phone connected to a fixed cellular tower, and to which 
tower. 

39. Depending on the area and the number of cell towers present, the data can provide 
the real-time location of a customer’s cell phone to within 50 meters. 

40. Because AT&T operates a mobile phone network, it obtains troves of this precise 
real-time location data around the clock for each device used by every customer on its network. 

B, Public Reports Reveal AT&T’s Sale of Access to Its Customers’ Real-Time 
Location Data, and the Rampant Abuses Flowing from Such Sale, 

41. AT&T’s and the Aggregator Defendants’ sale of PlaintilTs’ and all other AT&T 
wireless customers’ location data was unknown to PlaintilTs and the public at large until it began 
to be revealed in media reports in 2018 and 2019. 

i. May 2018 Reporting Reveals AT&T’s Sale of Customer Location Data 
to Prison Officials, 

42. In May 2018, The New York Times reported that AT&T was selling access to its 
customers’ real-time location data to a company called Securus Technologies, Inc. (“Securus”), a 
company that contracts with prisons and jails to be provide inmate communication services at 
those facilities. 

43. Securus was obtaining access to AT&T customers’ location data through 
intermediaries Defendant LocationSmart and a company called “3Cinteractive.”^^ 

LocationSmart contracted with AT&T and had direct access to AT&T customers’ real-time 
location data. With AT&T’s permission and knowledge, LocationSmart then served as a conduit 


Jennifer Valentino-DeVries, “Service Meant to Monitor Inmates’ Calls Could Track You, 
Too,” The New York Times (May 10, 2018), available at 

https://www.nvtimes.eom/2018/05/10/technologv/cellphone-tracking-law-enforcement.html . 

^^Id. 
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between AT&T and hundreds of third parties—including Securus and SCinteractive—seeking to 
use AT&T customers’ location data for various commercial purposes7^ 

44. Securus went on to sell its access to AT&T customers’ location data to thousands 
of third parties, including local law enforcement. Figure 1 immediately below illustrates the 
flow of customer location information. 


AT&T 


Location 

Smart 


SCinteractive 



Securus 


Detention 

facilities 

L_ J 


Figure 1 

45. This data-sharing arrangement allowed countless unknown individuals to obtain 
unauthorized access to AT&T customers’ real-time location data. For example, a Securus 
customer, former sheriff Corey Hutcheson, used carrier location data to target and track 
individuals’ real-time locations—including the location of a Missouri state judge and several 
members of law enforcement—over the course of three years, without their consent or 
knowledge and without legal authority to do so.^^ 

46. Corey Hutcheson had access to Securus’ location services beginning in at least 
2014.^^ That same year, the FBI began investigating Hutcheson for using his access to Securus’ 
online web portal to illegally track the location of cell phones, including the phones of a former 
sheriff, five state troopers, and Circuit Judge David Dolan. The allegations raised suspicions 
among lawyers that Hutcheson had been using the same technology to target local suspects. 
Indeed, federal authorities allege that Hutcheson “submitted thousands of Securus [location 
services] requests and obtained the location data of individual phone subscribers without valid 


^Ud. 

Id. 

See Superseding Indictment, U.S. v. Hutcheson, No. I;I8-cr-0004I-JAR (E.D. Mo. Aug. 17, 
2018) (hereafter “Hutcheson Indictment”), Dkt. No. 33 at]] 15. 

Doyle Murphy, “Sheriff Cory Hutcheson Vowed to Clean Up His Rural Missouri County. 
Now He’s the One Facing Prison,” Riverfront Times (Apr. 26, 2018), available at 
https://www.riverfronttimes.com/stlouis/sheriff-corv- 

hutcheson/ C ontent? oid=48573 5 9&sho wFullT ext=true . 

^^Id. 
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legal authorization, and, often, without the consent or even knowledge of the targeted 
individual. 

47. Federal authorities alleged that Hutcheson had obtained access to individuals’ 
location data by routinely uploading random documents to the Securus web portal and claiming 
that those documents constituted legal authority authorizing him to access other individuals’ 
precise location data. On the basis of those documents, Securus then provided Hutcheson with 
individuals’ real-time, precise location data, which was determined using their cell carriers’ 
technology and access to their phones. 

48. After AT&T’s location data sharing arrangement and the resulting abuses were 
revealed, U.S. Senator Ron Wyden wrote a letter to AT&T Inc. ’s CEO, Randall L. Stephenson. 
Senator Wyden informed AT&T that it was “prohibited from sharing certain customer 
information, including location data, unless the carrier either has the customer’s consent or 
sharing is otherwise required by law” and that AT&T must “ensure surveillance of 
communications and call records using their facilities can only be conducted with the direct and 
specific oversight of the provider 

49. The fact that Securus was able to provide the location service at all. Senator 
Wyden stated, “suggests that AT&T does not sufficiently control access to ... customers’ private 
information.”^^ The Senator stated that no company should be able to provide customers’ private 
information directly to law enforcement “without AT&T’s active oversight and direction.”^^ 

50. Senator Wyden also wrote to the FCC, asking the agency to “investigate abusive 
and potentially unlawful practices of wireless carriers” regarding their sale of access to 


Hutcheson Indictment at ][ 26. 

Id. attH 19-23. 

^^Id. atT125. 

Letter from U.S. Senator Ron Wyden to Randall L. Stephenson (AT&T) (May 8, 2018), 
available at https://www.documentcloud.org/documents/4457319-Wvden-Securus-Location- 
Tracking-Letter-to-AT-amp-T.html . 

Id. (emphasis added). 

^Ud. 

Id. 
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customers’ real-time loeation data7^ Senator Wyden asserted that Seeurus granted law 
enforeement access to the loeation of “any U.S. wireless phone number” if the offieial uploaded 
“a doeument purporting to be an ‘official document giving permission’” to aceess the data7^ 

But, as demonstrated by Sheriff Huteheson’s submissions, those doeuments need not actually 
eonfer any legal authority at all before loeation data would be provided. Senator Wyden warned 
that the carriers’ practiee of selling customer loeation data without determining whether there 
was eonsent or legal authority for sueh aeeess “needlessly exposes millions of Amerieans to 
potential abuse and surveillance by the government.”^* 

51. The risk that the routine sale of customers’ loeation data presents to the publie is 
exemplified by Sheriff Huteheson’s traeking of judieial offieials, law enforeement, and suspects. 

52. The vulnerability of AT&T eustomers’ loeation data is further illustrated by a 
breaeh of the Seeurus server. In May 2018, a hack on Seeurus’ server exposed data eoneeming 
thousands of Seeurus eustomers, including their login information and passwords, thereby 
exposing AT&T customers’ loeation data to eountless u nkn own third parties. 

53. Strikingly, the Seeurus haeker reported that gaining aeeess to AT&T’s highly 
sensitive loeation information for millions of its customers was “relatively simple.”^' 

54. The very same day that the Seeurus haek was reported, a seeurity researeher at 
Carnegie Mellon University identified a seeurity flaw in Aggregator Defendant LoeationSmart’s 
online demonstration, whieh allowed any member of the public to obtain real-time loeation 
information for AT&T eustomers, without the eustomers’ knowledge or eonsent.The 

Letter from U.S. Senator Ron Wyden to Chairman Ajit Pai (FCC) (May 8, 2018), available at 
https://www.wvden.senate.gov/imo/media/doe/wvden-securus-loeation-tracking-letter-to-fec.pdf 

Id. 

Id. 

Joseph Cox, “Hacker Breaches Seeurus, the Company That Helps Cops Track Phones Across 
the US,” Motherboard (May 16, 2018), available at 

https://motherboard.viee.com/en us/artiele/gvkgv9/seeurus-phone-traeking-eompanv-hacked . 

40 m 
41m. 

4^ Brian Krebs, “Tracking Firm LocationSmart Leaked Location Data for Customers of All 
Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site,” Krebs on 
Security (May 17, 2018), available at https://krebsonseeuritv.eom/20I8/05/traeking-firm- 
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researcher, Robert Xiao, had reportedly become interested in LocationSmart following reports 
that LocationSmart was supplying Securus with access to carrier customer location data7^ 

55. At the time of the hack, LocationSmart had a free demonstration on its website for 
potential customers (such as Securus) to try out its location targeting technology. LocationSmart 
claimed it could provide the precise location of almost any cell phone in the United States using 
location data from major cellphone carriers, including AT&T. The demo, which was available 
to the public through LocationSmart’s website, was supposed to seek consent from the targeted 
cell phone user via text message before supplying the location data."^^ 

56. However, LocationSmart failed to properly protect the data used in the demo, 
thereby allowing “[ajnyone with a modicum of knowledge about how Web sites work [to] abuse 
the LocationSmart demo site to figure out how to conduct mobile number location lookups at 
will, all without ever having to supply a password or other credentials."'^^ With “minimal 
effort,” Mr. Xiao was able to bypass the demo’s text message consent structure, unlocking the 
ability to obtain any AT&T customer’s location data without the customer’s consent or 
knowledge.'^'' This unsecured demo had been publicly accessible on LocationSmart’s website for 
approximately 16 or 17 months. 

57. In response to reporting about Securus and LocationSmart, AT&T admitted that 
Securus “did not in fact obtain customer consent before collecting customers’ location 
information” and claimed that, as a result, AT&T had “suspended all access by Securus to AT&T 
customer location data.”"^^ 

locationsmart-leaked-location-data-for-customers-of-all-maior-u-s-mobile-carriers-in-real-time- 

via-its-web-site/ . 

Id. 

^Ud. 

Id. 

Id. (emphasis added). 

Id. (emphasis added). 

^^Id. 

Brian Krebs, “AT&T, Sprint, Verizon to Stop Sharing Customer Location Data with Third 
Parties,” Krebs on Security (June 19, 2018), available at 

https://krebsonsecuritv.eom/2018/06/verizon-to-stop-sharing-customer-location-data-with-third- 

parties/ . 
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58. AT&T also claimed that Securus—rather than AT&T—^was responsible for 
seeuring a customer’s consent before sharing their real-time, precise location data.^^ AT&T 
stated that it had taken “prompt steps to protect customer data”^^ and that its “top priority is to 
protect our customers’ information and, to that end, [it would] be ending [its] work with 
aggregators for these serviees as soon as practical in a way that preserves important, potential 
lifesaving services like emergency roadside assistance. Each of these statements was false 
and/or misleading, as fully alleged below. 

ii, June 2018 Reporting Reveals AT&T’s Sale of Customer Location Data 
to Additional Third Parties, 

59. By June 2018, reporting made clear that AT&T was not just selling its customer 
location data to prison officials and law enforcement for illegal and unauthorized use, but was 
also selling the data on a mueh larger scale for much broader purposes. 

60. Just a few days after AT&T announced that it would stop selling customer data to 
Securus and the Aggregator Defendants, reporting revealed that AT&T customers’ location data 
was being sold to bail bondsmen, bounty hunters, landlords, and numerous other third parties for 
wide-ranging commereial purposes. 

61. Bounty hunters and bail bondsmen were accessing carrier customers’ real-time 
location data through a third party (similar to Securus) called “Captira”- whieh advertised that it 


Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (June 15, 
2018), available at 

https://www.wvden.senate.gov/imo/media/doe/at&t%201etter%20to%20RW%206.15.pdf 

Jon Brodkin, “Verizon and AT&T Will Stop Selling Your Phone’s Location to Data Brokers,” 
Ars Technica (June 19, 2018), available at https://arstechnica.com/tech- 
policv/2018/06/verizon-and-att-will-stop-selling-vour-phones-location-to-data-brokers/; Brian 

Lung, “Verizon, AT&T, T-Mobile and Sprint Suspend Selling of Customer Location Data After 
Prison Officials Were Caught Misusing It,” The Washington Post (June 19, 2018), available 
at https://www.washingtonpost.eom/news/the-switch/wp/20I8/06/I9/verizon-will-suspend-sales- 

of-customer-loeation-data-after-a-prison-phone-company-was-eaught-misusing- 

it/?noredirect=on&utm term=.4f7da64cl 108 . 

Joseph Cox, “Bail Bond Company Let Bounty Hunters Track Verizon, T-Mobile, Sprint, and 
AT&T Phones for $7.50,” Motherboard (June 22, 2018), available at 
https://motherboard.vice.com/en us/artiele/9k873e/captira-phone-traeking-verizon-tmobile- 

sprint-securus-locationsmart-bounty-hunters . 
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could track the location of all major carriers’ cell phones (ineluding phones in the AT&T 
network), to an aeeuraey of 2 meters. 

62. Captira publiely advertised that bounty hunters had used its eell phone loeation 
serviees to traek people aeross state lines. But by 2018, Captira had removed all referenees to 
its loeation services from its website, and the artiele’s sourees claimed that companies with 
aecess to AT&T loeation data had stopped advertising their loeation serviees in 2014 or 2015 out 
of coneern that the serviees were illegal. 

iii, January 2019 Reporting Reveals AT&T’s Customer Location Data 
Sales Are Ongoing, 

63. In January 2019, nearly seven months after AT&T had promised to stop selling 
information to the Aggregator Defendants, another media report revealed that AT&T was still 
selling access to customers’ preeise, real-time location data to location aggregators and allowing 
the highly-sensitive data to be bought from bounty hunters and bail bondsmen for as little as 
$ 300 .^’ 

64. This new reporting further revealed that AT&T had been providing—and 
continued to provide—aecess to real-time customer location data for almost every cell phone in 
the United States to a robust and shadowy downstream market, all without the cell phone user’s 
consent or knowledge. 

65. Reporting showed that, once again, AT&T customer location data was available to 
numerous industries—“ranging from car salesmen and property managers to bail bondsmen and 
bounty hunters”—through a chain of third parties that began with AT&T and Aggregator 


Id. (emphasis added). 

Id. 

Id. 

Joseph Cox, “I Gave a Bounty Hunter $300. Then He Located Our Phone,” Motherboard 
(Jan. 8, 2019), available at https://motherboard.viee.com/en us/article/nepxbz/i-gave-a-bounty- 
hunter-300-dollars-loeated-phone-mierobilt-zumigo-tmobile . 

Id. 
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Defendant Zumigo. Zumigo then sold the data to a eompany called Microbilt. AT&T 
confirmed that it had approved Zumigo’s sale of its customers’ data to Microbilt. 

66. Microbilt, in turn, sold the AT&T location data “to a dizzying number of sectors, 
including landlords to scope out potential renters; motor vehicle salesmen, and others who are 
conducting credit checks.”^' Figure 2 immediately below further illustrates the flow of customer 
location information. 


Location 

Aggregators 


Bounty 

Hunters 


Car 

Salesman 

Landlords 


Bail 

Bondsmen 


Creditors 


AT&T 


Microbilt 


Figure 2 

67. These industries used Microbilt’s services to “return a target’s full name and 
address, geolocate a phone in an individual instance, or operate as a continuous tracking 
service.”As Microbilt advertised to its clients, “[y]ou can set up monitoring with control over 
the weeks, days and even hours that location on a device is checked as well as the start and end 
dates of monitoring. 

68. Included among Microbilt’s customers are bail bondsmen and bounty hunters. 


59 

60 
61 
62 
63 


Id. 

Id. 

Id. 

Id. 

Id. 
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69. In one January 2019 report, a journalist was able to find the real-time loeation of a 
phone in Queens, New York, within an aeeuraey of just a few bloeks, by buying loeation data 
from Mierobilt through a bounty hunter.But for the reporter personally informing the phone’s 
owner that he would be using the teehnology to loeate her, no eonsent was obtained by the 
bounty hunter before loeating the phone. The phone’s owner was never informed by her carrier, 
the location aggregator, or the bounty hunter that her real-time location data would be or had 
been accessed, nor was her consent requested to do so. None of them provided her with a text 
message, alert, notification, or indeed any indication at all that they had accessed her phone and 
targeted her location; their access was completely invisible to her. 

70. Just as access to the carrier location data was passed down a chain, so too was the 
proclaimed responsibility for obtaining customer consent before accessing that data. Both the 
carriers and the Aggregator Defendants claimed that they required their clients “to get consent 
from the people they want to track,” rather than obtain any direct consent themselves. 

71. A bail industry employee who used Mierobilt to access cell carrier location data 
confirmed that the lack of a true consent structure for the real-time location data allowed the data 
to be used for nefarious purposes, such as allowing bounty hunters to “track[] their girlfriends.”^^ 
It also allowed for a robust, unregulated black market of the data to develop. According to the 
source, “[tjhose third-level companies sell their services. That is where you see the issues with 
going to shady folks [and] for shady reasons. 

72. AT&T admitted that use of its customers’ data by bounty hunters was an explicit 
breach of the company’s policies. However, AT&T attempted to downplay the importance of 
the Securus and Mierobilt breaches as isolated events. 


64 

65 

66 

67 

68 
69 


Id. 

Id. 

Id. 

Id. 

Id. 

Id. 
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73. In response to this latest round of reporting, fifteen U.S. senators ealled for an 
investigation into how AT&T and other wireless carriers were selling access to real-time 
customer location data. Their letter stated: “It is clear that these wireless carriers have failed to 
regulate themselves or police the practices of their business partners, and have needlessly 
exposed American consumers to serious harm.” 

iv, February 2019 Reporting Reveals Scope and Nature of AT&T’s Sale of 
Customer Location Data to Bounty Hunters. 

74. On February 6, 2019, public reporting revealed both the large scale of cell 
carriers’ sale of access to their customers’ location data to bounty hunters and that AT&T was 
allowing the sale of a particularly precise type of location data.^^ 

75. This round of reporting centered largely on a bail bond and bounty hunter 
company called CerCareOne. CerCareOne obtained access to carrier-level location data, 
including data from AT&T, through LocationSmart.^^ 

76. As industry documents confirm, CerCareOne sold its access to more than 250 
bounty hunters and related businesses between 2012 and 201 7. These companies were 
conducting thousands of searches for customers’ precise geolocation data (these searches are 
often called “pings”), with one bail bond company making more than 18,000 data requests. 


Letter from United States Senators Ron Wyden, Edward J. Markey, Kamala D. Harris, Jeffrey 
A. Merkley, Sheldon Whitehouse, Charles E. Schumer, Richard Blumenthal, Patrick Leahy, 
Benjamin L. Cardin, Amy Klobuchar, Kirsten Gillibrand, Cory A. Booker, Jack Reed, Tina 
Smith, and Bernard Sanders to Joseph J. Simons (ETC) and Ajit Pai (ECC) (Jan. 24, 2019), 
available at https://www.wvden.senate.gov/imo/media/doc/15-senators-location-aggregator- 
letter-to-fcc-ftc-final.pdf 

Joseph Cox, “Big Telecom Sold Highly Sensitive Customer GPS Data Typically Used for 911 
Calls,” Motherboard (Eeb. 6, 2019), available at 

https://motherboard.vice.com/en us/article/a3b3dg/big-telecom-sold-customer-gps-data-911- 

calls ; Joseph Cox, “Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint 
Customer Location Data for Years,” Motherboard (Eeb. 6, 2019), available at 
https://motherboard.vice.coin/en us/article/43z3dn/hundreds-bountv-hunters-att-tmobile-sprint- 

customer-location-data-years . 

Joseph Cox, “Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint 
Customer Location Data for Years,” supra at 71. 

^^Id. 
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77. This latest round of reporting also revealed that AT&T was selling access to a 
particularly sensitive type of location data: “assisted GPS” or “A-GPS” data. A-GPS location is 
determined using the carrier’s network infrastructure, the phone’s GPS chip, and other 
technologies such as WiFi and Bluetooth. The combination can locate customers with finely- 
tuned accuracy, often revealing their location within a building. A-GPS data is intended to be 
used to help locate carrier customers when they called 911. LocationSmart confirmed that it was 
in fact using A-GPS data for location tracking. 

78. As Colorado Law Associate Professor Blake Reid explained, “with assisted GPS, 
your location can be triangulated within just a few meters. This allows constructing a detailed 
record of everywhere you travel.” 

79. Bounty hunters bought carrier-level location data for as much as $ 1,100 per ping, 
and confirmed that they were reselling the location data to additional third parties. The 
articles’ sources confirmed that targeted individuals receive no text message or other warning 
that their phones are being tracked. 

80. The companies selling access to carrier location data were attempting to keep the 
sale of this data a secret. As a condition of access to the data, CerCareOne required its 
customers to agree to keep its very existence confidential. It also designed a misleading 
website: its homepage stated that the site was “under construction,” but a back-end portal 
allowed its customers to log in and access call carrier customer location data. 


^Ud. 

^^Id. 

Id. 

Id. 

^^Id. 

^Ud. 

Id. 
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81. In March 2019, Senator Wyden wrote to executives at AT&T, stating it was “now 
abundantly clear that [they] have failed to be good stewards of [their] customers’ private location 
information.”^' 

82. In sum, between May 2018 and March 2019, media reports revealed the existence 
of a vast, illegal market for the real-time location data of AT&T customers. AT&T granted direct 
access to this data to the Aggregator Defendants, who in turn sold sueh access to hundreds of 
third parties—including bounty hunters, bail bondsmen, landlords, and law enforeement—^with 
AT&T’s consent. This system allowed the precise, real-time location data of millions of 
Americans to be bought and sold by unknowable third parties for years without customer eonsent 
or knowledge and without valid legal authority. Despite numerous representations by AT&T that 
it would end the Aggregator Defendants’ access to this data, the practice—and the risks it 
created—continued without eonsequence. 

C, Defendants Developed and Profit from a Robust Market for Customers’ 
Real-Time Location Data. 

83. Unauthorized individuals gained aecess to AT&T customers’ real-time loeation 
data without consent or legal authority beeause of AT&T’s practice of selling access to this data 
to data aggregators and hundreds of additional third parties without properly proteeting the data 
or establishing sufficient safeguards and eonsent mechanisms. As a result, downstream 
purehasers have been able to systematically gain improper access to real-time customer location 
data without customer knowledge or eonsent, and without valid legal authority for such access. 

84. Beginning at the latest in January 2011, AT&T began using data location 
aggregators to manage the buying and selling of its eustomers’ real-time loeation data.^^ 


Letter from U.S. Senator Ron Wyden to Miehel Combes (Sprint Corp.), Randall L. Stephenson 
(AT&T Inc.), John Legere (T-Mobile US, Inc.), and Hans Vestberg (Verizon Communications 
Inc.) (Mar. 13, 2019), available at https://www.documentcloud.org/documents/5767085-Wvden- 
Letter-to-T eleeoms-Mareh-13th-2019.html . 

Aaron Huff, “AT&T Offers New Tracking Platform,” CCJ Digital (archived from Jan. 4, 
2011), attaehed hereto as Ex. D. 
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85. In October 2011, LocationSmart (then kn own as Locaid) announeed “AT&T’s 
adoption of [its] platform” and marketed its ability to “access location for 360 million mobile 
and landline devices nationwide.That same year, LocationSmart claimed its “crossearrier 
web services platform provides instant access to nearly 90% of mobile and landline phones 
nationwide, including smart phones, feature phones and tablets.” 

86. In 2019, AT&T confirmed that it contracted with Aggregator Defendants 
LocationSmart and Zumigo.^^ 

87. Upon information and belief, the Aggregator Defendants were given aecess to 
AT&T’s networks and infrastructure pursuant to their relationships with AT&T, allowing them to 
directly access the location data of AT&T’s customers. 

88. In October 2012, LocationSmart advertised that it “conneets directly to all major 
nationwide carriers as a trusted aggregator of deviee location. . . . Let me share a little secret. . . 
you have immediate access to virtually all subseribers with minimal development.”^^ 


“AT&T Mobility leverages TechnoCom’s eross-carrier location platform as a key offering for 
its enterprise customers,” LocationSmart (Oct. 11, 2011), available at 
https://www.locationsmart.com/companv/news/san-diego-companv-technocom-powers-atts- 

location-information-services ; see also “San Diego Company, TechnoCom, Powers AT&T’s 
Loeation Information Services,” LocationSmart (Oct. 11, 2011), available at 
https://www.locationsmart.com/companv/news/san-diego-companv-technocom-powers-atts- 

location-information-services; Letter from Timothy McKone (AT&T Services, Inc.) to U.S. 
Senator Ron Wyden (June 15, 2018), supra at 51. 

“Angel and TechnoCom Optimize Customer Experience with Cloud-Based Caller Location,” 
LocationSmart (Oct. 11, 2011), available at 

https://www.locationsmart.com/companv/news/angel-and-technocom-optimize-customer- 

experience-with-cloud-based-caller-location . 

Letter from Timothy MeKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (Feb. 15), 
2019, supra at 7. 

LocationSmart claimed that it first established “direct carrier connections” in 2010. 
“LocationSmart Authorized to Deliver Location Data for iGaming in New Jersey,” 
LoeationSmart (Nov. 27, 2013), available at 

https://www.locationsmart.com/companv/news/locationsmart-authorized-to-deliver-network- 

location-data-for-igaming-in-new-jersey . 

“LocationSmart Capabilities,” LocationSmart (archived from Oct. 31, 2012), attached hereto 
as Ex. E. 
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89. In 2013, LocationSmart advertised that it had "'direct mobile carrier connections 
covering over 90% of subscribers nationwide for secure mobile phone location and messaging 
services” and that its platform "utilizes direct network connections to obtain secure cellular and 
assisted GPS location insight.”^^ 

90. This direct access provided the Aggregator Defendants with immediate access to 
precise, real-time location data. 

91. In 2018, LocationSmart advertised its ability to locate cell customers’ cell phones 
in 5 to 20 seconds, depending on the level of accuracy purchased. “Network-based locates 
may be requested by accuracy desired. Precise, Coarse, or Best Effort requests may be made,” 
LocationSmart explained. “Precise requests are <=300 meter accuracy; Coarse requests are >301 
meters and Best Available provides the best location possible. 

92. In 2017, Zumigo advertised that it “[IJocates a mobile phone using mobile 
networks - No app needed, no barriers to adoption!”^^ It explained that in order to locate carrier 
customers, it “queries mobile network and seeks location [latitude-longitude] of customer” and 
then “converts customer [latitude-longitude] to physical location[.]”^^ 

93. Once the Aggregator Defendants obtained direct access to AT&T customers’ real¬ 
time location data, they began selling access to that location data to their own customers. 

i. For example. Aggregator Defendant LocationSmart provided Securus 

with location data utilizing AT&T data. Securus, in turn, contracted with thousands of different 


“LocationSmart Authorized to Deliver Location Data for iGaming in New Jersey,” 
LocationSmart (Nov. 27, 2013), available at 

https://www.locationsmart.com/companv/news/locationsmart-authorized-to-deliver-network- 

location-data-for-igaming-in-new-jersey (emphasis added). 

“FAQs,” LocationSmart, available at https://www.locationsmart.com/cms/resources/faqs- 
2018.pdf 

^Ud. 

Snehashis BChan, “Securing Transactions and Customer Applications through Location,” supra 
at 17 (emphasis in original). 

^^Id. 

.Jennifer Valentino-DeVries, “Service Meant to Monitor Inmates’ Calls Could Track You, 
Too,” supra at 22. 
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clients, including detention centers, to provide inmate communieations services. While 
Securus’ main business was monitoring where inmates were located when they placed calls, it 
offered an additional location data service (whieh it referred to as its “Location Based Service” 
or “LBS”).^^ In order to locate individuals through LBS, Securus granted prisons and jails 
access to a web portal where they could request real-time location data, which was determined 
using carrier-level technology. This service was provided through intermediaries between the 
cell carriers and Securus, including LocationSmart and SCinteractive.^^ 

ii. Similarly, Aggregator Defendant Zumigo contracted with AT&T to obtain 

access to AT&T customer real-time location data. Zumigo then began providing access to the 
data to third party Microbilt, with AT&T’s approval. Microbilt, in turn, sold the data to bounty 

hunters, who sold it to bail bondsmen and—ultimately—^to a journalist. Aggregator Defendant 
Zumigo confirmed in 2019 that it provided the phone location to Microbilt and defended its sale 
of that data to bounty hunters. 

iii. LoeationSmart (then kn own as Locaid) was also responsible for selling 
carrier location data to a company called CerCareOne.For at least five years, CerCareOne 
sold carrier customers’ real-time location data to at least 250 bounty hunters, bail bondsmen, and 
bail agents to find the real-time location of mobile phones. CerCareOne charged up to $1,100 
per phone location request. Industry documents show—and LocationSmart admitted—that 
LocationSmart continued to sell earrier data to CerCareOne after it merged with Locaid in 
2015.'°^ 

See Hutcheson Indictment at ][ 11. 

See id. at ][ 2. 

See id. at ][][ 3-4. As described in Sections A and C, the eell earriers’ infrastructure allows the 
carriers to determine the precise location of their eustomers in real time. 

See id. at ][][ 3-4. For more detail on this chain of access, see Section B. 

Letter from Timothy P. McKone to U.S. Senator Ron Wyden (Feb. 15, 2019), supra at 7. 
Joseph Cox, “I Gave a Bounty Hunter $300. Then He Located Our Phone,” supra at 57. 

'O' “Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer 
Location Data for Years,” supra at 71. 

'02 m 

'02 M. 
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94. In each of the above examples, the carrier customers’ sensitive, real-time location 
data was used to target and track those customers without their knowledge or consent, and 
without proper legal authority. 

95. AT&T had knowledge that the Aggregator Defendants were selling access to its 
customers’ location data information to additional companies. 

96. AT&T admitted in 2018 that it used the Aggregator Defendants to “manage [] 
requests for customer data” and claimed that “[s]uch practices are common among all major 
carriers.” 

97. Not only did AT&T kn ow that the Aggregator Defendants were selling its 
customers’ location data to other companies, it was also aware of the scale of that market because 
AT&T approved the Aggregator Defendants’ customers. 

98. Locaid, for example, informed its customers in 2011 that it would take 
approximately two weeks for cell carriers to approve the customers’ request for access to the 
carrier location data. 

99. Similarly, LocationSmart informed potential customers in 2012 that they would 
need “[cjarrier review and confirmation to launch.” In 2018, they advertised that “carrier 
certification” takes two weeks. 

100. AT&T admitted in 2018 that it approved LocationSmart’s sale of data to 
Securus. As fully alleged above, Securus’ access to carriers’ location data caused thousands of 
instances of unauthorized access to carrier customers’ real-time location data. 


Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (June 15, 
2018), supra at 51. 

105 “Mobile Location Overview,” Locaid (April 2011), available at 
https://crvptome.org/2014/08/locaid.pdf 

106 LocationSmart Works,” LocationSmart (archived from Oct. 31, 2012), attached hereto 
as Ex. F. 

107 “paQs,” LocationSmart, supra at 89. 

Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (June 15, 
2018), supra at 51. 
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101. AT&T admitted in 2019 that it also provided aeeess to its customer location data 
to Aggregator Defendant Zumigo and Microbilt. As fully alleged above, Microbilt sold access 
to AT&T customers’ location data to numerous third parties, including bounty hunters who resold 
that access without any customer consent or legal authority. 

102. AT&T participated in the unlawful sale of access to its customer location data, 
and as the entity in control of the networks upon which such access was based, had unbridled 
control over the practices. 

103. AT&T also kn ew that the Aggregator Defendants were using its customer location 
data for a broad array of purposes, including marketing. 

104. In a 2013 public interview, LocationSmart CEO Mario Proietti advertised the 
marketing potential of location data, stating that “[pjrecise location detection using WiFi is also 
ideal for proximity marketing to provide relevant promotions that enhance brand loyalty, drive 
in-store traffic and increase conversion rates.” 

105. In a 2013 YouTube video, Zumigo CEO Chirag Bakshi stated, “Ed be remiss if 1 
didn’t mention the power of our location data for marketing. Our mobile data can make any 
marketing program more relevant to your customer[.]”"' In a 2017 presentation, Zumigo 
advertised using its services to “[mjarket customers based on their current location.” 

106. AT&T was also aware of data aggregators’ location-based capabilities and uses 
for the customer location data because it used the data itself For example, one aggregator 
confirmed that major telecommunications carriers rely on location data aggregators and bounty 
hunters to use customer data—including location data—to find their own customers when those 


Fetter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (Feb. 15, 
2019), supra at 7. 

Robert Prime, “Focationsmart.net Interview with Mario Proietti,” Telematics.com (Sept. 19, 
2013), available at https://www.telematics.coin/location-smart-interview/ . 

“Faunchpad 360: Zumigo,” YouTube (Nov. 6, 2013), available at 
https://www.voutube.com/watch?v=PDVZmq-FlFO . 

' Snehashis Khan, “Securing Transactions and Customer Applications Through Focation,” 
supra at 17. 
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customers fail to pay their wireless bills.' In other words, earners are not only selling the data 
but aetually benefiting from its use as well. 

107. This eomplex chain of location data sales demonstrates AT&T’s knowledge: (i) 
that its customers’ real-time loeation data was being bought and sold, (ii) of the depth and 
breadth of that market, (iii) of the laek of diligenee in verifying eustomers’ consent, and (iv) of 
the various ways that the precise, real-time loeation data was being used. 

D, Defendants Sell Access to Location Data Intended for Enhanced 911- 
Purposes, 

108. AT&T’s location data is extremely valuable to the downstream data market 
because it can reveal its customers’ precise, real-time location information on demand. 

109. AT&T’s ability to obtain this very sensitive data was not intended for commercial 
sale, but rather for a much nobler purpose: to locate the carriers’ customers when they call 911. 
For this same reason, customers have no way to opt out of the collection of this data by their 
wireless carriers for use in emergency situations. 

i, AT&T Lobbies the FCC to Allow Its Use of Precise A-GPS Data to 
Comply with E911 Regulations, 

110. Asa telecommunications provider, AT&T is entrusted to use its eellular networks 
and the teehnology it installs within its eustomers’ phones to determine their loeation in case of 
an emergeney This teehnology, called Enhaneed 911 service (“E911”) allows emergeney 
response personnel to pinpoint the loeation of a eellular telephone ealler anywhere in the United 
States when the ealler places a 911 eall. 

111. The Eederal Communications Commission (“FCC”) first established E911 
location accuracy rules in 1997. By 2010, the FCC was eoncemed about the aeeuracy of E911 
data for calls placed from inside buildings or residenees, and sought eomment from earriers and 
the public about the feasibility of implementing aeeuracy rules regarding indoor 911 ealls. 


“I Gave a Bounty Hunter $300. Then He Loeated Our Phone,” Cyber Podeast (Jan. 24, 2019). 
Further Notice of Proposed Rulemaking and Notice of Inquiry, In the Matter of Wireless 
E911 Location Accuracy Requirements, 25 FCC Rod 18957 (2010). 
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Several working groups began analyzing the issue and designing test beds for new teehnology. 
Aggregator Defendant LoeationSmart partieipated in this testing and deseribed itself as a “key 
player in the development and adoption of industry standard E911 testing methodologies.” ^ 

112. In 2014, the FCC alerted wireless companies that it would indeed be updating its 
E911 location accuracy rules “to ensure accurate indoor location information.”"^ In the near 
term, the ECC proposed accuracy metrics that would allow responders to “identify floor level for 
most calls from multi-story buildings.” In the long term, it sought location information at the 
room or office suite level. The FCC sought carriers’ comments on how to meet these goals. 

113. In response, maj or telecommunications providers—including AT&T—proposed 
“a new course” which would allow them to pinpoint 911 callers at the floor, suite, or apartment 
level by leveraging “new technologies” that used signals from nearby fixed wireless devices, 
such as increasingly prevalent Wi-Fi access points and Bluetooth Low Energy beacons to locate 
carrier subscribers. With this new technology (referred to herein as “assisted GPS” or “A- 
GPS”), the carrier’s network would “automatically collect information from the wireless handset 
about wireless access points within the vicinity of the wireless handset.” Carriers, including 
AT&T, would cause this information to be stored on their customers’ devices where it would be 
made available to the carriers and could be shared in the event of an emergency. 


See, e.g., “Working Group 3, E 9-1-1 Location Accuracy Final Report v2,” Communications 
Security, Reliability and Interoperability Council III (June I, 2012), available at 
http://transition.fcc.gov/bureaus/pshs/advisorv/csric3/CSRICIII 6-6-12 WG3-Final-Report.pdf 

See, e.g., Letter from Masoud Motamedi (President, TechnoCom Corporation) to Marlene H. 
Dortch (Secretary, FCC) (June 23, 2014), available at 
https://ecfsapi.fcc.gov/file/7521337390.pdf 

“TruePosition Indoor Test Report: Wilmington, DE,” TechnoCom (June 18, 2014), attached 
hereto as Ex. G. 

Third Further Notice of Proposed Rulemaking, In the Matter of Wireless E911 Location 
Accuracy Requirements, 29 FCC Red 2374 ][ 1 (2014) (hereafter '"Third Further Notice”). 

'20 m 

'2'M. atT12. 

'2^ Id. 

'2^ Memorandum Opinion and Order, In the Matter of Wireless E9II Location Accuracy 
Requirements, 32 FCC Red. 9699 T1 5 (2017) (hereafter “NEAD Implementation Order”). 
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114. Once a cell phone “knows” what Wi-Fi or Bluetooth beaeons are nearby, using A- 
GPS technology, it also needs to “ kn ow” where exactly those beacons are located (via a physieal 
address) to provide the phone’s location. To solve this problem, the carriers proposed the 
creation of the National Emergency Address Database (“NEAD”) to store the physical addresses 
of fixed indoor beaeons. The beacons would be identified by a unique number ealled a MAC 
address, whieh is similar to a hardware serial number. The carriers’ networks could then query 
the NEAD platform for MAC addresses of beacons near the 911 caller’s phone to see if the 
beacons were saved in the NEAD and associated with a verified street address.” Eor example, 
an entry in the NEAD might look like Eigure 3 immediately below for a beaeon located within 
the Eibrary of Congress; 


MAC Address 

Street 1 

Street 2 

City 

State 

la;2b;3e;4e;5f;6a 

101 Independenee Ave. 

El. 3 

Washington 

DC 


Figure 3 


115. Numerous consumer privacy organizations warned the FCC that the NEAD raised 
“signifieant privacy-related concerns.” Specifically, the location technology underlying the 
NEAD eould be “used to improve location accuracy not only of E911 services, but also of other 
serviees, including commercial services, that rely on the same technology. This is concerning 
because consumers are highly protective of information about their location.” 


Roadmap at Section 2(e)(i). 

NEAD Implementation Order ][ 5. 

Comments of Public Knowledge, Alvaro Bedoya, American Civil Eiberties Union, Benton 
Eoundation, Center Eor Democracy & Technology, Center Eor Digital Democracy, Common 
Sense Media, Consumer Action, Consumer Eederation of America, Consumer Eederation of 
California, Consumer Watchdog, Electronic Erontier Eoundation, Electronic Privacy Information 
Center, New America Eoundation’s Open Technology Institute Privacy Rights Clearinghouse, 
U.S. PIRG, and World Privacy Eorum, In the Matter of Wireless E911 Location Accuracy 
Requirements (Dec. 15, 2014) at 3, available at 

https://www.publicknowledge.org/documents/ofFicial-comments-on-wireless-e911-location- 

accurac v-requirements . 

Id. at 2. 

Id. at 5 (emphasis added). 
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116. In February 2015, the FCC announced that wireless carriers would be required to 
provide either a dispatchable address or longitude and latitude location “within 50 meters” for a 
gradually increasing percentage of wireless 911 calls, ultimately aiming to achieve location data 
within 50 meters for 80% of wireless 911 calls by 2020. It also set benchmarks for the 
development of z-axis data (/.e., height or floor within a building). Crucially, the FCC gave 
wireless carriers permission to develop the ability to use, and then actually use, their customers’ 
A-GPS data for E911 purposes. 

117. Importantly, the FCC also adopted new privacy rules that applied to the new E911 
A-GPS data being developed and utilized by the carriers. The FCC required that “as a condition 
of using the NEAD or any information contained therein to meet our 911 location requirements, 
and prior to use of the NEAD, [wireless carriers] must certify that they will not use the NEAD or 
associated data for any purpose other than for the purpose of responding to 911 calls, except as 
required by law.” AT&T, specifically, “pledg[ed] that the information contained in the NEAD 
will not be used for any non-emergency purposes.” 

ii, AT&T Sold Access to E911 Data for Commercial Purposes, 

118. Despite the sensitive nature of precise E911 A-GPS location data and AT&T’s 
obligations and promises to protect this data from unauthorized or commercial use, AT&T began 
providing access to its customers’ E911 A-GPS data to the Aggregator Defendants and hundreds 
of third parties without proper customer consent or legal authority. 

119. As confirmed by industry documents, the Aggregator Defendants’ downstream 
customers were obtaining access to carrier customers’ A-GPS data. 

47C.F.R. §20.18(i)(2)(i). 

47C.F.R. §20.18(i)(2)(ii). 

See, e.g., 47 C.E.R. § 20.18(h)(l)(v). 

132 47 C.F.R. § 20.18(i)(4)(iv) (emphasis added). 

133 Fourth Report and Order, In the Matter of Wireless E911 Location Accuracy Requirements, 

30 F.C.C. Red. 1259 T] 71 (2015) (“AT&T pledges that the information contained in the NEAD 
will not be used for any non-emergency purposes.”). AT&T filed its certification regarding the 
use of the NEAD at the FCC on June 1, 2018. 

13'! “Big Telecom Sold Highly Sensitive Customer GPS Data Typically Used for 911 Calls,” 
supra at 71. 
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120. Carriers admit that this A-GPS data is intended for use in publie safety seenarios. 
As one carrier told the FCC: “A-GPS is reasonably the foundation of wireless [emergency] 911 
location for both indoor and outdoor locations.” 

121. AT&T knew that access to its customers’ A-GPS was being sold. The Aggregator 
Defendants publicly marketed their ability to use precise A-GPS data for commercial purposes. 

122. LocationSmart’s 2018 advertising materials likewise confirmed its use of beacon- 
based A-GPS technology. 

123. LocationSmart advertises to customers its ability to “utilize the same technology 
used to enable emergency assistance and this includes cell tower and cell sector location, 
Assisted GPS and cell tower trilateration.”'^^ In May 2018, LocationSmart disclosed that “[t]he 
data provided is based on cell tower location, cell tower trilateration and assisted GPS 
information gleaned from the mobile devices” and stated that its services “can pinpoint precise 
locations.” 

124. LocationSmart confirmed that “[cjarrier location services available through 
LocationSmart are based on a variety of technologies depending on each carrier’s particular 
location infrastructure implementation. That could include AGPS, cell tower, cell sector, or cell 
site trilateration.”'^^ 

125. As described by Colorado Law Associate Professor Blake Reid, “the only reason 
we grant carriers any access to this information is to make sure that first responders are able to 
locate us in an emergency. If the carriers are turning around and using that access to sell 


Letter from John T. Nakahata (Counsel to T-Mobile USA, Inc.) to Marlene H. Dortch (FCC) 
(Nov. 16, 2013), available at https://ecfsapi.fcc.gov/fde/7520958047.pdf 
136 “paQs,” LocationSmart, supra at 89. 

Ex. C (LocationSmart “Carrier Network Location Collateral”). 

'3' Id. 

Joseph Cox, “Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint 
Customer Location Data for Years,” supra at 71. 
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information to bounty hunters or whomever else, it is a shocking abuse of the trust that the public 
places in them to safeguard privacy while protecting public safety.” 

E. AT&T Allowed Unauthorized Third Parties to Access Customers’ Location 

Data. 

126. While admitting that it allowed third parties to access its customers’ real-time 
location data, AT&T asserted that such access was only granted with customer consent or legal 
authority. That representation was and is false. AT&T and its agents, the Aggregator 
Defendants, failed to obtain customer consent or obtain proper legal authority before allowing 
third parties to use or access carrier customers’ real-time location information. 

127. AT&T admittedly did not seek customer consent directly. Instead, it maintained 
that the companies seeking to access customers’ real-time location data (such as Securus, 
Microbilt, and CerCareOne) were responsible for obtaining consent or legal authority for the 
information. 

128. After improperly pushing its duty to obtain consent downstream, AT&T failed to 
confirm that the Aggregator Defendants and/or the Aggregator Defendants’ customers (such as 
Microbilt, Securus, and CerCareOne) obtained any customer consent or proper legal authority 
before granting them access to customer location. 

129. In fact, the Aggregator Defendants’ customers routinely failed to obtain customer 
consent or legal authority. 

130. For example, as AT&T admitted in 2018, Securus “did not in fact obtain customer 
consent before collecting customers’ location information.Instead, Securus required users to 
upload a document showing that they had legal authority to request a specific carrier customer’s 

Joseph Cox, “Big Telecom Sold Highly Sensitive Customer GPS Data Typically Used for 911 
Calls,” supra at 71. 

See, e.g., Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden 
(June 15, 2018), supra at 51. 

See, e.g., id.', Brian Krebs, “AT&T, Sprint, Verizon to Stop Sharing Customer Location Data 
with Third Parties,” Krebs on Security, supra at 49. 

Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (June 15, 
2018), supra at 51. 
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real-time loeation information. Seeurus offieials “confirmed ... that Securus takes no steps to 
verify” that the uploaded document actually provided such legal authorization and failed to 
conduct “any review of surveillance requests.” 

131. Indeed, Senator Wyden stated in his letter to AT&T that “[sjenior officials from 

Securus have confirmed... that it never checks the legitimacy of those uploaded documents to 
determine whether they are in fact court orders and has dismissed suggestions that it is obligated 
to do These documents did not even have to appear to be legitimate; federal authorities 

allege that Sheriff Hutcheson uploaded documents from his health insurance plan and a sheriffs 
manual and was nonetheless granted access to nonconsenting individuals’ real-time location 
data—including the location data of a judge—on the basis of those documents. 

132. Once any document was uploaded, all that a Securus customer had to do to access 
a carrier customer’s real-time location data was check a box on the Securus portal that stated, 
“[b]y checking this box, I hereby certify the attached document is an official document giving 
permission to look up the location on this phone number requested.” Once that box was 
checked, the user clicked “Get Location” and Securus would use carrier-level location data to 
immediately provide the longitude and latitude of the phone’s current location, as well as an 
address. 

133. The immediate access to location information reveals that Securus never intended 
to verify the legitimacy of purported legal authority before disclosing real-time location data. 
Instead, Securus pushed responsibility even further down the chain and “relied upon law 
enforcement’s representation that it had appropriate legal authority.” 


Letter from U.S. Senator Ron Wyden to Randall L. Stephenson (AT&T) (May 8, 2018), supra 
at 32 (emphasis added). 

Id. (emphasis added). 

Hutcheson Indictment at ][ 22. 

See id. at ][ 6. 

See Hutcheson Indictment at ][ 7. 

Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (June 15, 
2018), supra at 51. 
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134. In other words, in the case of the Securus breaches, the responsibility to confirm 
authorization for real-time location tracking was passed down every rung of the chain; from 
AT&T to Location Smart, from LocationSmart to SCinteractive, from SCinteractive to Securus, 
from Securus to correctional facilities, and from those facilities down to individual officers. 

135. By abdicating its responsibility in this manner and failing to implement effective 
controls against unauthorized access to location data, AT&T failed to protect its customers’ 
sensitive location data, and instead benefited from its dissemination. 

136. AT&T’s dereliction of its duty has had widespread impact. Securus had 
thousands of customers as of 2013, each of which—on information and belief—could request 
access to AT&T customers’ real-time geolocation information. Upon information and belief, 
none of those customers’ representations about consent or legal authority was ever verified. 

137. AT&T’s failures to protect its customers and obtain proper authorization before 
disclosing location data are further exemplified by its admissions concerning Securus’ access to 
its customers’ location data. 

138. In June 2018, AT&T Services, Inc.’s Executive Vice President, Timothy McKone, 
wrote that “AT&T has never authorized the use of its customers data for the Securus web portal 
service described in [Wyden’s] letter.” 

139. But this representation only exemplifies the magnitude of AT&T’s extreme 
recklessness and knowing negligence. That Securus was able to use AT&T data on a wide scale 
without AT&T’s authorization reveals that AT&T’s safeguarding of access to its customers’ real¬ 
time location data and its system for obtaining and tracking customer approval before third-party 
use was so lax, it was unaware of how the data was used and by whom. 

140. Securus’ ability to use AT&T data without authorization was not an isolated 
incident, but instead just one example of AT&T’s pattern and practice of allowing unlawful 
access to its customers’ sensitive real-time location information. 
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141. For example, CerCareOne allowed more than 250 bail bond companies and 
bounty hunters to use carrier data “tens of thousands of times to locate phones” - often without 
any consent from the customer. 

142. Additionally, a reporter was able to obtain the precise location information of an 
individual—ultimately through Aggregator Defendant Zumigo’s access to cell carrier location 
data—^without obtaining any documented consent from the targeted carrier customer. The 
reporter personally obtained such consent, but that same consent was never itself verified, 
apparently, by either Zumigo or the individual’s cell carrier. 

143. By providing the Aggregator Defendants direct access to customers’ location data 
and allowing the Aggregator Defendants’ to resell that access to additional third parties, AT&T 
abdicated its duty to get consent, instead allowing a chain of “consent handoffs” to develop. 

This led to the formation a robust market for customers’ location data with no oversight by 
AT&T, and a lack of proper consent or legal authority for such disclosures. This was in clear 
dereliction of AT&T’s duty to its customers. 

144. As Senator Wyden explained, “[cjarriers are always responsible for who ends up 
with their customers data—it’s not enough to lay the blame for misuse on downstream 
companies.” Senator Wyden stated that the carriers’ practices of attempting to delegate the 
responsibility for obtaining consent “skirt[ed] wireless carrier’s legal obligation to be the sole 
conduit by which the government conducts surveillance of Americans’ phone records[.]”^^^ He 
asserted that “[wjireless carriers have an obligation to take affirmative steps to verify law 
enforcement requests for customer information” and that absent such legal authority, federal law 
permits the disclosure of customer location data to third parties only when the customer consents. 

“Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer 
Location Data for Years,” supra at 71. 

Joseph Cox, “I Gave a Bounty Hunter $300. Then He Located Our Phone,” supra at 57. 

Joseph Cox, “Google Demanded That T-Mobile, Sprint Not Sell Google Fi Customers’ 
Location Data,” Motherboard (Jan. 11, 2019), available at 

https://www.vice.com/en us/article/d3bnvv/google-demanded-tmobile-sprint-to-not-sell-google- 

fi-customers-location-data . 

Letter from U.S. Senator Ron Wyden to Chairman Ajit Pai (FCC) (May 8, 2018), supra at 36. 
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He described the carriers’ practice of pushing its obligation to get the required consent down to 
other third parties as “the legal equivalent of a pinky promise.” This “clear abuse” of the consent 
structure and requirement for genuine legal authority, he asserted, was “only possible because 
wireless carriers sell their customers’ private information to companies claiming to have 
consumer consent without sufficiently verifying those claims.” 

F, Defendants’ Sale of Access to Customers’ Location Data Is Outrageous and 
Harmful, 

145. Plaintiffs and many other AT&T customers have been harmed by AT&T’s failure 
to properly protect their location data from unauthorized access, thereby disclosing Plaintiffs’ 
and customers’ legally protected information to the Aggregator Defendants and unknown 
additional other third parties. 

146. Plaintiffs were emotionally distressed by the discovery that their location data was 
sold to the Aggregator Defendants and additional unknown third parties without their consent. 

147. Not only has AT&T customers’ private location information been disclosed to 
unauthorized parties—including the Aggregator Defendants—but AT&T customers are also at 
substantial risk of additional, imminent future harm. Specifically, Plaintiffs and many other 
AT&T customers are at substantial risk of: (i) further disclosure of their personal information to 
additional third parties, (ii) disclosure of their personal information via a data breach, and (iii) 
disclosure of past location data already obtained by the Aggregator Defendants and/or additional 
unknown third parties. 

148. As the FCC has recognized, the unauthorized disclosure of carrier customers’ 
personal information “by any method invades the privacy of unsuspecting consumers and 
increases the risk of identity theft, harassment, stalking, and other threats to personal safety.” 
According to the FCC, “[t]he black market for [wireless customers’ proprietary network 
information] has grown exponentially with an increased market value placed on obtaining this 

Report and Order and Further Notice of Proposed Rulemaking, In the Matter of 
Implementation of the Telecommunications Act of 1996: Telecommunications Carriers Use of 
Customer Proprietary Network Info. & Other Customer Info., 22 F.C.C. Red. 6927 T] 46 (2007) 
(hereafter “2007 CPNI Order”). 
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data, and there is concrete evidence that the dissemination of this private information does inflict 
specific and significant harm on individuals, including harassment and the use of the data to 
assume a customer’s identity. The reality of this private information being disseminated is well- 
documented and has already resulted in irrevocable damage to customers 

149. Senator Ron Wyden describes location tracking as a “national security and a 
personal safety nightmare.” 

150. Congressman Fra nk Pallone, Jr. of New Jersey, Chairman of the House 
Committee on Energy and Commerce, called for an emergency hearing on Defendants’ practices 
in February 2019 and stressed the “grave consequences that unauthorized sharing of customer 
location data could have for public safety and national security!.]” 

151. FCC Commissioner Geoffrey Starks stated in February 2019 that “[i]t is 
absolutely chilling to think that a stranger can buy access to exactly where we are at any given 
moment by tapping into the data on our phones without our consent. And, now 1 am hearing 
allegations that consumers’ GPS data—data so accurate that it can pinpoint your location the 
floor of a building you are in—is also available for sale. It isn’t difficult to imagine intrusive or 
even downright dangerous uses of this data.”^^° Separately, he called the sale of customer 
location data “a matter of public safety. ... It isn’t difficult to imagine intrusive or even 
downright dangerous uses of this data.”^^^ 

152. As the public reporting surrounding the sale of customer location data illustrates, 
“as the data spreads out from the original source, being the [telecommunications providers], the 
risk of abuse just dramatically increases. Not only is it ending up in the hands of bounty hunters, 
but then of course those individuals might just spy on their girlfriends, as a source told [a 


2007 CPNI Order T] 39 (emphasis added). 

“I Gave a Bounty Hunter $300. Then He Focated Our Phone,” Cyber Podcast, supra at 113. 
Fetter from U.S. Representative Frank Pallone, Jr. to Chairman Ajit Pai (FCC) (Feb. 19, 
2019), attached hereto as Ex. H. 

Ex. B. (email from Michael Scurato (FCC) to Joseph Cox (Motherboard) (Feb. 4, 2019)). 
Email from Michael Scurato (FCC) to Jon Brodkin (Ars Tecnica) (Feb. 13, 2010), attached 
hereto as Ex. 1. 
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Motherboard reporter] is what happens among these people. Once a person has access to that 
data, they can—it appears—do whatever they want with it.”'^^ 

153. AT&T customers, including PlaintilTs, are at substantial risk that their location 
information will be disclosed to dangerous third parties, including stalkers and/or domestic 
abusers. The use of location data by stalkers and domestic abusers is well-known and 
documented. A 2009 Justice Department report estimated that more than 25,000 adults in the 
U.S. are victims of GPS stalking each year, including by cell phone. 

154. This risk is compounded by the fact that location targeting using carrier location 
data occurs surreptitiously and is invisible to the phone’s user. Users do not receive any alert or 
notification that their location has been accessed. Plaintiffs do not, and indeed cannot, know 
how many and which third parties—in addition to the Aggregator Defendants—accessed their 
sensitive location data. AT&T, the Aggregator Defendants, and the third parties with whom they 
contract to sell Plaintiffs’ and Class members’ location data are the sole parties with access to 
that information about whose data was sold, when, and to whom. 

155. The FCC has recognized that victims of cell carrier data breaches are at a 
heightened risk when they are unaware that the breach has occurred. Because PlaintilTs and 
Class members are unable to identify all of the parties who purchased their real-time location 
data through AT&T and its agents, they are unable to properly protect themselves. 

156. The risk of harm from Defendants’ massive dissemination of this highly sensitive 
customer location information is further compounded by the inherent and recurring hazards that: 

i. company employees will misuse the information; and 

“I Gave a Bounty Hunter $300. Then He Located Our Phone,” Cyber Podcast, supra at 113. 

Katrina Baum, Shannan Catalano, and Michael Rand, “Stalking Victimization in the United 
States,” Bureau of Justice Statistics, U.S. Department of Justice (Jan. 2009), available at 
https://www.iustice.gOv/sites/default/files/ovw/legacv/2012/08/15/bis-stalking-rpt.pdf 

“I Gave a Bounty Hunter $300. Then He Located Our Phone,” Cyber Podcast, supra at 113. 

2007 CPNI Order 26, 30. 

166 Megan Geuss, “AT&T Fined $25 Million After Call Center Employees Stole Customers’ 
Data,” Ars Technica, Apr. 8, 2015, available at https://arstechnica.com/tech- 
policv/2015/04/att-fined-25 -million-after-call-center-employees-stole-customers-data/ . See also 
Joseph Cox, “Snapchat Employees Abused Data Access to Spy on Users,” Motherboard, May 

_ -38- _ 

CLASS ACTION COMPLAINT 







1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 

26 

27 

98 


Case 3;19-cv-04063 Document 1 Filed 07/16/19 Page 41 of 80 


ii. security vulnerabilities will allow data thieves to steal the information. 

157. Additionally, AT&T represented to its customers that it would “not sell [their] 
personal information to anyone for any purpose. Period.” Plaintiffs and other AT&T 
customers relied on AT&T’s misrepresentations, believing that they were protected from the 
risks associated with unauthorized access to their real-time location data. 

158. Plaintiffs and AT&T wireless customers are at a continuing risk of access and 
misuse of their historical location data. This location data can be personally identifying on its 
own or when combined with other information, such as customers’ cell phone numbers, which 
are used in the location data request process. AT&T customers are therefore at a continuing, 
substantial risk that their historical location data will be accessed and their privacy further 
violated due to the fact that Defendants have already allowed the data to be breached and 
accessed by countless unknown third parties. 

G, The Sale of Location Data Violates Reasonable Expectations of Privacy and 
Is Highly Offensive, 

159. Plaintiffs’ reasonable expectation of privacy in their location data is enshrined in 
federal, state, and common law and reflected in widespread societal norms and Supreme Court 
jurisprudence. 

160. As recently observed by the Supreme Court, cell phone location data “present[s] 
even greater privacy concerns than the GPS monitoring of a vehicle ... [A] cell phone—almost a 
‘feature of human anatomy,’ tracks nearly exactly the movements of its owner. While individuals 
regularly leave their vehicles, they compulsively carry cell phones with them all the time. A cell 
phone faithfully follows its owner beyond public thoroughfares and into private residences. 


23, 2019, available at https://www.vice.com/en us/article/xwnva7/snapchat-emplovees-abused- 
data-access-spv-on-users-snaplion . 

Andrew Liptak, “Security Researchers Found Vulnerabilities at AT&T, T-Mobile, and Sprint 
That Could Have Exposed Customer Data,” The Verge, Aug. 25, 2018, available at 
https://www.theverge.com/2018/8/25/17781906/att-tmobile-sprint-securitv-vulnerabilities- 

customer-information. 


168 


See Ex. A (AT&T Privacy Policy). 
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doctors offices, political headquarters, and other potentially revealing locales.” Carpenter v. 
United States, 138 S. Ct. 2206, 2218 (2018). 

161. A 2013 study, for example, found that 79% of people between the ages of 18 and 
44 have their smart phones with them 22 hours out of the day. Twenty-three percent of adults 
and 40 percent of teenagers say they use a mobile device within five minutes of waking up. 
Low-income Americans are more likely to be smart phone dependent because their smart phone 
is more likely to be their primary or only method to access the Internet. As of 2019, 26% of 
adults living in households earning less than $30,000 a year own a smart phone but do not have 
broadband internet at home (compared to only 5% of those living in households earning 
$100,000 or more). 

162. Due to the ubiquity of cell phones in individuals’ lives, cell phone location data 
“provides an intimate window into a person’s life, revealing not only his particular movements, 
but through them his ‘familial, political, professional, religious, and sexual associations.’” 
Carpenter, 138 S. Ct. at 2217. “These location records hold for many Americans the ‘privacies 
of life.’” Id. (quotation marks and citation omitted). Plaintiffs and similarly situated carrier 
customers therefore have a reasonable expectation of privacy in such data. 

163. Plaintiffs’ expectations of privacy have long been protected by the law. Invasion 
of privacy has been recognized as a common law tort for more than a century. In Griswold v. 
Connecticut, 381 U.S. 479 (1965), the Supreme Court confirmed the primacy of privacy rights, 
explaining that the Constitution operates in the shadow of a “right to privacy older than the Bill 
of Rights.” 


Allison Stadd, “79% of People 18-44 Have Their Smartphones With Them 22 Hours a Day,” 
Ad Week (April 2, 2013), available at https://www.adweek.com/digital/smartphones/ . 

Niraj Chokshi, “Your Kids Think You’re Addicted to Your Phone,” The New York Times 
(May 29, 2019), available at https://www.nvtimes.com/2019/05/29/technologv/cell-phone- 
usage.html . 

Monica Anderson, “Digital Divide Persists Even as Lower-Income Americans Make Gains in 
Tech Adoption,” Pew Research Center (May 7, 2019), available at 
https://www.pewresearch.org/fact-tarLk/20I9/05/07/digital-divide-persists-even-as-lower- 

mcome-americans-make-gains-in-tech-adoption/ . 
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164. In Carpenter, the Supreme Court specifically recognized the reasonable 
expectation of privacy a person has in the location information generated by her cell phone. 
Carpenter, 138 S. Ct. 2206. The Court held that the government’s warrantless access to 
customer location data invades an individual’s “reasonable expectation of privacy in the whole 
of his physical movements.” Id. at 2219. 

165. California also recognizes Plaintiffs’ expectations of privacy. California amended 
its constitution in 1972 to specifically enumerate a right to privacy in its very first section. See 
Cal. Const. Art. I, § 1. The California constitutional right of privacy is intended to protect 
Californians from Defendants’ “misusing information gathered for one purpose in order to serve 
other purposes[.]” 

166. The expectation of privacy in cell phone location data has been repeatedly 
reiterated by federal agencies. Indeed, the FCC has stated that it “fully expect[s] carriers to take 
every reasonable precaution to protect the confidentiality of proprietary or personal customer 
information.”'^^ 

167. FCC Commissioner Jessica Rosenworcel, in a letter to AT&T Communications 
CEO John Donovan regarding AT&T’s sale of access to its customers’ local data, stated that 
“[r]eal-time location information is sensitive data deserving the highest level of privacy 
protection.”'^'' 

168. The Federal Trade Commission (“FTC”) has also recognized consumers’ 
expectation of privacy in their location data. In 2016, the FTC entered into a settlement 
agreement with a mobile advertising company charged with deceptively tracking the location 


Ballot Pamp., Proposed Amends, to Cal. Const, with arguments to voters, Gen. Elec. (Nov. 7, 
1972), p. 27. 

2007 CPNI Order ^ 64. 

Eetter from Commissioner Jessica Rosenworcel (ECC) to John Donovan (AT&T) (May 1, 
2019), available at https://www.documentcloud.org/documents/5985428-ECC-Commissioner- 
Rosenworcel-letters-to-Telecom.html. 
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information of hundreds of millions of people with their knowledge or consent. The company 
agreed to pay a $950,000 civil penalty and institute a robust comprehensive privacy program. 

i. Plaintiffs’ Expectations Reflect Widely Held Social Norms, 

169. A reasonable person would believe that Defendants’ conduct described herein 
violates Plaintiffs’ expectations of privacy. 

170. According to a poll by the Pew Research Center, 93% of adults believe that being 
in control of who can get information about them is important, and 90% believe that controlling 
what information is collected about them is important. 

171. In a 2019 poll about location data, more than 83% of Americans responded that it 
was “never” okay for “companies that collect [their] location data to sell or share that data with 
third parties.”More than 14% responded that sharing location data was only permissible if 
the customer “was asked for, and gave, explicit consent (opted in).” Respondents’ top 
concerns regarding the collection and use of location data included; (1) general loss of privacy 
(61%); (2) risk of breach or that data could fall into a hacker’s or thief s hands (58%); (3) 
unauthorized use by law enforcement or the government (43%); use by companies for profiling 
(48%); and (5) personal safety risks, such as use by a stalker or ex-partner (43%). 

172. Americans do not approve of observation without consent: 88% say it is important 
that they not have someone watch or listen to them without their permission. 


Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of 
Consumers’ Locations Without Permission, Federal Trade Commission (June 22, 2016), 
available at https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising- 
network-inmobi-settles-ftc-charges-it-tracked . 

Mary Madden and Lee Rainie, “Americans’ Attitudes About Privacy, Security and 
Surveillance,” Pew Research Center (May 20, 2015), available at 
https://www.pewintemet.org/2015/05/20/americans-attitudes-about-privacv-securitv-and- 

surveillance/ . 

“Some Questions About Location Sharing,” Consumer Action (Feb. 8 to March 4, 2019), 
available at https://www.consumer-action.org/downloads/Location-tracking-survev-2019.pdf 

^^Ud. 
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173. A 2016 survey found that more Americans are concerned about not knowing how 
the personal information collected about them is used than are concerned about losing their 
principal source of income, being a victim of crime in their community, climate change, or 
access to affordable health care. Their top cause of concern “is companies collecting and 
sharing personal information with other companies” - the very conduct alleged here. 

174. A 2016 Pew Research Poll found that “[s]ome of the most strongly negative 
reactions” it received to questions about privacy “came in response to scenarios involving the 
sharing of personal location data.”^^^ 

175. Public outcry following the exposure of Defendants’ practices, including 
responses from members of the United States Congress, reflect society’s expectation of privacy 
in location data. In a letter from fifteen sitting United States Senators calling for an investigation 
into Defendants’ practices, the Senators stated, “Americans expect that their location data will be 
protected.”'*^ 

ii. Federal Law Requires AT&T and Its Agents to Protect Customers’ 
Location Data. 

176. Recognizing the sensitivity of data collected by cell carriers. Congress, through 
the FCA, requires telecommunications providers—including wireless cell carriers, such as 
AT&T—to protect their customers’ sensitive personal information to which they have access as a 
result of their unique position as telecommunications carriers. 


“Study Finds More Americans Concerned About Data Privacy Than Losing Their Income,” 
National Cyber Security Alliance (Jan. 28, 2016), available at 
https://stavsafeonline.org/press-release/americans-concemed-data-privacv/ . 

Mary Madden and Lee Rainie, Privacy and Information Sharing, Pew Research Center 
(Jan. 14, 2016), available at https://www.pewintemet.org/2016/01/14/privacv-and-information- 
sharing/ . 

Letter from United States Senators Ron Wyden et al. to Joseph J. Simons (FTC) and Ajit Pai 
(FCC) (Jan. 24, 2019), supra at 70. 

47 U.S.C. § 222. 
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177. While the FCA faeilitates nationwide deployment of E911 teehnology, Congress 
expressly proteeted the privaey of eustomer information. In doing so, Congress speeifieally 
ineluded proteetion for the privaey of loeation information pertaining to eell phone users. 

178. Seetion 222 of the FCA, whieh beeame part of the Aet in 1996, establishes 
earners’ duty to proteet the privaey and seeurity of information about their eustomers. Likewise, 
Seetion 201(b) of the Aet requires AT&T’s praetiees related to the eolleetion of information from 
its eustomers to be “just and reasonable” and deelares unlawful any praetiee that is unjust or 
unreasonable. 

179. Congress enaeted Seetion 222 to “define!] three fundamental prineiples to proteet 
all eonsumers. These prineiples are: (1) the right of eonsumers to kn ow the speeifie information 
that is being eolleeted about them; (2) the right of eonsumers to have proper notiee that sueh 
information is being used for other purposes; and (3) the right of eonsumers to stop the reuse or 
sale of that information.” The FCA represents Congress’s judgment that earrier eustomers’ 
proprietary network information, ineluding loeation data, should remain private. 

180. Pursuant to the FCA, AT&T has a duty to proteet the eonfidentiality of eertain 

types of eustomer data, ineluding preeise loeation data. This duty extends to data that AT&T 
provides to the Aggregator Defendants. Under the FCA, AT&T is not just liable for its own 

violations of the Aet, but also for violations that it “oause[s] or permit[s].”'^‘^ 


See P.L. No. 106-81(2), § 5, 113 Stat. 1288 (Get. 26, 1999) (eodified at 47 U.S.C. § 222). 

47 U.S.C. § 201(b). 

FI.R. Conf. Rep. No. 458, 104th Cong., 2d Sess. 204 (1996) (Joint Explanatory Statement of 
the Committee of Conferenee); see also H.R. Rep. No. 204, 104th Cong., 1st Sess. 91 (1995); id. 
at 90 (explaining that seetion 222 balanees “the need for eustomers to be sure that personal 
information that earners may eolleet is not misused” with eustomers’ expeetation that “the 
earrier’s employees will have available all relevant information about their serviee”). 

47 U.S.C. § 222(a). 

2007 CPNl Order T139. 

See 47 U.S.C.A. § 206 (establishing that “[i]n ease any common carrier shall do, or cause or 
permit to be done, any act, matter, or thing in this chapter prohibited or declared to be unlawful, 
or shall omit to do any act, matter, or thing in this chapter required to be done such common 
carrier shall be liable to the person or persons injured thereby for the full amount of damages 
sustained in consequence of any such violation of the provisions of this chapter!.]”) 
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181. One type of data that earriers must proteet is called customer proprietary network 
information (“CNPl”). CPNI is defined as, inter alia, “information that relates to the . . . 
location ... of a telecommunications service subscribed to by any customer of a 
telecommunications carrier, and that is made available to the carrier by the customer solely by 
virtue of the carrier-customer relationship.”'^' 

182. The FCA and the FCC designate location information as CPNI. AT&T receives 
Plaintiffs’ and Class members’ location data by virtue of its provision of telecommunications 
services to Plaintiffs and Class members. As established in Section C, AT&T has 
implemented technology that causes location data to be stored on its customers’ device, where it 
is made available to AT&T. This location information is collected from Plaintiffs’ and other 
AT&T’s subscribers’ mobile devices at AT&T’s direction, and AT&T and the Aggregator 
Defendants can access and control the information. The FCC has warned “that location 
information in particular can be very sensitive customer information.” 

183. AT&T has breached its duty to protect customers’ CPNI by knowingly allowing 
countless third parties access to the location data. AT&T has failed in its duty to ensure that 
access to CPNI is only granted pursuant to the requirements of the FCA, and that the data 
otherwise be safeguarded against improper use. AT&T’s failure to provide proper notice, obtain 


47 U.S.C. § 222(h)(1). 

47 U.S.C. § 222(h)(1)(A); see also Declaratory Ruling, In the Matter of Implementation of the 
Telecommunications Act of1996: Telecommunications Carriers ’ Use of Customer Proprietary 
Network Info. & Other Customer Info., 28 F.C.C. Red. 9609 T122 (2013) (“The location of a 
customer's use of a telecommunications service also clearly qualifies as CPNI.”); 

Carpenter, 138 S. Ct. at 2272 (Gorsuch, J., dissenting) (“47 U.S.C. § 222 designates a 
customer’s cell-site location information as “customer proprietary network information” 
(CPNI)[.]” 

47 U.S.C. § 222(h)(1). 

Declaratory Ruling, In the Matter of Implementation of the Telecommunications Act of1996: 
Telecommunications Carriers ’ Use of Customer Proprietary Network Info. & Other Customer 
Info., 28 F.C.C. Red. 9609126 (2013). 
atTl 16. 

Id. at n. 54. 
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proper consent, and safeguard Plaintiffs’ and similarly situated customers’ location data violates 
the FCA and its corresponding regulations. 

184. FCC commissioners have publicly stated that AT&T’s sale of customers’ precise 
location data violates the FCA. Current FCC commissioner Geoffrey Starks confirmed that the 
sale of location data as reported in 2018 and 2019 would constitute a violation of the law: “Time 
and again in recent months, we’ve read about people’s location information from use of mobile 
phones being for sale ... If the allegations are true, this is against the law and violates the 
[FCC’s] rules. It’s outrageous and needs to stop.”^^^ Likewise, FCC Commissioner Jessica 
Rosenworcel stated that, “[sjelling location data without customers’ consent is a violation of 
[FCC] rules.” 

185. Pursuant to the FCA, the FCC has developed comprehensive rules concerning 
AT&T’s obligations under its duty to protect customers’ CPNI. These rules require, among 
other things, the proper notice carriers must provide and the consent they must obtain before 
using, selling, or disclosing their customers’ proprietary data, and the steps they must take to 
safeguard the proprietary data. As alleged in detail below, AT&T has failed to abide by the 
FCC’s rules concerning notice, consent, and proper safeguarding requirements. 

a. The FCA Requires Defendants to Provide Plaintiffs Proper Notice 
Before Disclosing Their Location Data. 

186. The FCA requires AT&T to provide “individual notice” to customers before 
seeking their approval to “use, disclose, or permit access to [their] CPNI.”^®*^ 


Jon Brodkin, “Ajit Pai’s Plan for Phone Location Data Never Mentions the Word ‘Privacy,’” 
Ars Technica (Mar. 14, 2019), available at https://arstechnica.com/tech- 
policv/2019/03/despite-carriers-selling-91 l-location-data-fcc-ignores-privacy-in-new-rules/. 

Jon Brodkin, “Selling 911 Location Data is Illegal—US Carriers Reportedly Did It 
Anyway,”’ Ars Technica (Feb. 13, 2019), available at https://arstechnica.com/tech- 
policv/2019/02/att-t-mobile-sprint-reportedlv-broke-us-law-bv-selling-911 -location-data/ . 

See 47 C.F.R. § 64.2001(“The purpose of the rules in this subpart is to implement section 222 
of the Communications Act of 1934, as amended, 47 U.S.C. 222.”). 

20'^ 47 C.F.R. § 64.2008(b). 
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187. The individual notice required by the FCA must “provide sufficient information to 
enable the customer to make an informed decision as to whether to permit a carrier to use, 
disclose, or permit access to, the customer’s CPNL”^°' 

188. This notice must include, inter alia, ‘'the specific entities that will receive the 
CPNI, describe the purposes for which CPNI will be used, and inform the customer of his or her 
right to disapprove those uses, and deny or withdraw access to CPNI at any time.”^°^ And, “[t]he 
notification must be comprehensible and must not be misleading.” 

189. AT&T failed to provide proper, individual notice to Plaintiffs and the Class before 
using, disclosing, or permitting access to their real-time location CPNI by the Aggregator 
Defendants and other third parties. 

b. The FCA Requires Defendants to Obtain Customers’ Knowing 
Consent Before Using, Disclosing, or Permitting Access to 
Location Data. 

190. The FCA gives customers certain rights to control use of and access to their 
CPNI. The statute generally forbids a carrier to “use, disclose, or permit access to” CPNI, except 
in limited circumstances. 

191. A carrier may only use, disclose, or permit access to customers’ CPNI; (1) as 
required by law; (2) with the customer’s approval; or (3) in its provision of the 
telecommunications service from which such information is derived, or services necessary to or 
used in the provision of such telecommunications service. Beyond such use, “the 
Commission’s rules require carriers to obtain a customer’s knowing consent before using or 
disclosing CPNI.”^°^ 

192. The knowing consent requirement extends to AT&T’s sharing of CPNI with the 
Aggregator Defendants. In a 2007 Order, the FCC recognized the risk associated with sharing 
customer CPNI with third parties. Specifically, the Commission stated; 


201 47 C.F.R. § 64.2008(c). 

202 47 C.F.R. § 64.2008(c)(2)(emphasis added). 

203 47 C.F.R. § 64.2008(c)(4). 

204 47 U.S.C. § 222(c)(1). 

203 47 U.S.C. § 222. 

206 2007 CPNI Order ^ 8 (emphasis added). 
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We find that there is a substantial need to limit the sharing of CPNI 
with others outside a customer’s carrier to protect a customer’s 
privacy. . . Specifically, we find that once the CPNI is shared with 
a joint venture partner or independent contractor, the carrier no 
longer has control over it and thus the potential for loss of this data 
is heightened. We find that a carrier’s section 222 duty to protect 
CPNI extends to situations where a carrier shares CPNI with its 
joint venture partners and independent contractors. 


193. The Order further found that “by sharing CPNI with joint venture partners and 
independent contractors, it is clear that carriers increase the odds of wrongful disclosure of this 
sensitive information, and before the chances of unauthorized disclosure are increased, a 
customer’s explicit consent should be required.” 

194. On information and belief, AT&T did not obtain such consent before disclosing 
Plaintiffs’ and customers’ CPNI to the Aggregator Defendants, nor did AT&T even put the 
Plaintiffs on notice that their CPNI would be sold to the Aggregator Defendants. 

195. In addition to failing to obtain customers’ consent before sharing their location 
data with the Aggregator Defendants, AT&T also failed to obtain consent before allowing the 
Aggregator Defendants to share the data with additional third parties. Instead, AT&T — by its 
own admission—impermissibly abdicated that responsibility and relied upon an illegal and 
ineffective, trust-based model to secure customer consent. 

196. AT&T admits that it uses the Aggregator Defendants to “facilitate” the sale of its 
customers’ location data and states that it requires the Aggregator Defendants to make their 
customers (such as Securus) obtain customer consent. However, the plain text of the FCA and 
its implementing regulations requires the carrier to obtain a customer’s knowing consent before 
that customer’s CPNI is used or disclosed by any third parties, including the Aggregator 
Defendants. 


20^ Id. T139. 

Id. T146 (emphasis added). 

Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (June 15, 
2018), supra at 51. 

47 U.S.C. § 222(c)(1); 2007 CPNI Order ^ 8. 
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197. After improperly pushing its duty to obtain eonsent downstream, AT&T failed to 
eonfirm that the Aggregator Defendants and the Aggregator Defendants’ customers (such as 
Microbilt, Securus, and CerCareOne) were obtaining consent or proper legal authority before 
granting them access to customer location. 

198. In fact, the Aggregator Defendants’ customers were failing to obtain consent or 
legal authority before accessing customer CPNI. 

199. In 2018, AT&T admitted that it kn ew that Securus “did not in fact obtain customer 
consent before collecting customers’ location information.”^" In a letter to the FCC, Senator 
Wyden stated that Securus officials “confirmed... that Securus takes no steps to verify” judicial 
authorization for real-time location surveillance and failed to conduct “any review of surveillance 
requests.”^" Indeed, Senator Wyden stated in a letter to AT&T that “[sjenior officials from 
Securus have confirmed... that it never checks the legitimacy of those uploaded documents to 
determine whether they are in fact court orders and has dismissed suggestions that it is obligated 
to do so.”^" 

200. In the case of Securus, all anyone needed to do to access a carrier customer’s 
location data was check a box on the Securus portal that stated, “[b]y checking this box, I hereby 
certify the attached document is an official document giving permission to look up the location 
on this phone number requested.”^^'^ Once that box was checked, the user clicked “Get 
Location” and Securus would use the carrier-level location data to immediately provide the 
longitude and latitude of the phone’s current location, as well as an address. This was the case 
even when the documents purporting to show “legal authority” were absurdly deficient on their 


See, e.g., Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden 
(June 15, 2018), supra at 51 (emphasis added). 

Letter from U.S. Senator Ron Wyden to Chairman Ajit Pai (FCC) (May 8, 2018), supra at 36. 
Letter from U.S. Senator Ron Wyden to Randall L. Stephenson (AT&T) (May 8, 2018), supra 
at 32. 

See Hutcheson Indictment at ][ 6. 
atT17. 
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face, such as was the case with former Sheriff Hutcheson, who uploaded inserts from his oar 
insurance manual as “legal authority” for phone tracking7'^ 

201. Rather than verify consent or legal authority itself, Securus passed the 
responsibility even further down the ohain and “relied upon law enforcement’s representation 
that it had appropriate legal authority!.]” 

202. In other words, in the ease of Securus, the responsibility to confirm that a cell 
carrier customer had consented to real-time location tracking was pushed down every rung of the 
ehain; from AT&T to Location Smart, from LocationSmart to SCinteractive, from SCinteractive 
to Securus, from Securus to correctional facilities, and from those faeilities down to individual 
officers. Predictably, this system failed to protect AT&T’s customers’ sensitive location data. 
AT&T is responsible for this failure. 

203. Securus was not an isolated incident, but instead, just one example of Defendants’ 
pattern and practiee of failing to assure that any consent or legal authority existed before it 
allowed third parties to use or access customers’ CPNI. 

204. For example, CerCareOne allowed more than 250 bail bond companies and 
bounty hunters to use earrier data “tens of thousands of times to locate phones” - often without 
any consent from the eustomer.^^* 

205. Additionally, a reporter was able to obtain the precise location information of an 
individual—ultimately through Aggregator Defendant Zumigo’s aceess to cell carrier location 
data—^without obtaining any documented consent from the targeted carrier customer. While 
the reporter personally obtained such consent, on information and belief, that eonsent was in no 
way verified by Zumigo or the individual’s cell carrier. 


Id. atT122. 

Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron Wyden (June 15, 
2018), supra at 51. 

Joseph Cox, “Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint 
Customer Loeation Data for Years,” supra at 71. 

Joseph Cox, “I Gave a Bounty Hunter $300. Then He Located Our Phone,” supra at 57. 
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206. In addition to failing to obtain the consent required by the FCA, AT&T also failed 
to implement a system that could accurately track consent, as required by the FCA. 

207. In order to protect customers’ rights under the FCA, the FCC has adopted rules 
“designed to ensure that telecommunications carriers establish effective safeguards to protect 
against unauthorized use or disclosure of CPNI.”^^° The FCA requires carriers to “implement a 
system by which the status of a customer’s CPNI approval can be clearly established prior to the 
use of CPNI.”^^' Carriers must “design their customer service records in such a way that the 
status of a customer’s CPNI approval can be clearly established.The FCC’s rules also 
“require carriers to maintain records that track access to customer CPNI records.Carriers 
must “maintain a record of all instances where CPNI was disclosed or provided to third parties, 
or where third parties were allowed access to CPNI.”^^^ 

208. Upon information and belief, AT&T has failed to implement such a system. 

209. By providing the Aggregator Defendants direct access to customers’ location data, 
AT&T allowed a chain of handoffs to develop, leading to a robust market for customers’ location 
data with no oversight by AT&T and continuous violations of AT&T’s duties under the FCA to 
obtain knowing consent, customer opt-in, or proper legal authority before disclosing its 
customers’ CPNI to third parties. 

c. Defendants Are Required to Safeguard Customers’ Location Data. 

210. AT&T has also breached its duty to safeguard Plaintiffs’ and Class Members’ 
CPNI from data breaches, in violation of Section 222(a) and Section 201(b) of the FCA. 

211. In 2007, the FCC “[made] clear that carriers’ existing statutory obligations to 
protect their customers’ CPNI include[s] a requirement that carriers take reasonable steps, which 


220 2007 CPNI Order T] 9; also Id. at ^ 35; 47 U.S.C. § 222(c). 

22' 2007 CPNI Order 8-9 (emphasis added); see also 47 C.F.R. § 64.2009(a). 
222 2007 CPNI Order ^ 9. 

224 Id.-, see also 47 C.F.R. § 64.2009(c). 
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may include encryption, to protect their CPNI databases from haekers and other unauthorized 
attempts by third parties to access CPNI.”^^^ 

212. LocationSmart’s failure to properly secure its API and prevent unauthorized 
access to customer location data through the demo publiely available on its website is an 
additional breach of the earrier’s duty to safeguard customers’ CPNI. AT&T is responsible for 
this breach because LocationSmart was operating as AT&T’s agent and/or vendor. 

213. Additionally, AT&T and LocationSmart’s failure to protect its customers’ data— 
thereby resulting in the data becoming accessible over the public internet—is an unjust and 
unreasonable practice under Section 201(b) of the FCA.^^^ 

214. The FCC also requires AT&T to inform customers - and law enforcement - 
“whenever a security breach results in that eustomer’s CPNI being disclosed to a third party 
without that customer’s authorization.”^^* This requirement extends beyond hacking to any 
unauthorized disclosure. On information and belief, AT&T has failed to inform Plaintiffs that 
their CPNI was disclosed to the Aggregator Defendants or any other relevant third parties. 

215. In adopting this requirement, the FCC rejected the argument that it “need not 
impose new rules about notice to customers of unauthorized diselosure because competitive 
market conditions will protect CPNI from unauthorized disclosure.” 

216. Instead, the FCC found that “[i]f eustomers and law enforcement agencies are 
unaware of [unauthorized access], unauthorized releases of CPNI will have little impact on 
carriers’ behavior, and thus provide little incentive for earriers to prevent further unauthorized 
releases. By mandating the notification process adopted here, we better empower eonsumers to 
make informed decisions about service providers and assist law enforcement with its 
investigations. This notiee will also empower carriers and consumers to take whatever ‘next 


2007 CPNI Order ][ 36 (citation omitted). 

226 Id. at T1 39; 5ee also 47 U.S.C. § 217. 

22^ See In the Matter ofTerracom, Inc. & Yourtel Am., Inc., 29 F.C.C. Red. 13325 T] 32 (2014). 
22^ 2007 CPNI Order at ^ 26; 5ee also 47 C.F.R § 64.2011(c). 

229 2007 CPNI Order T130. 
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steps’ are appropriate in light of the customer’s particular situation.The FCC specihcahy 
recognized that this notice could allow consumers to take precautions or protect themselves “to 
avoid stalking or domestic violence. 

217. But even after documents confirmed that AT&T customers’ location data had been 
accessed by CerCarOne’s clients,AT&T stated in February 2019, in a response to Senator 
Wyden’s office, that it had not “identified any use of location information where the location 
aggregator or another third party obtained AT&T location information without prior customer 
consent.”^^^ This statement was untrue. 

218. AT&T failed in its duty to safeguard its customers’ CPNI from breaches and, upon 
information and belief, has failed to properly inform affected customers of such breaches when 
they occurred. 

d. Defendants Are Prohibited from Selling Customers’ E911A-GPS 
Data for Commercial Use, 

219. AT&T failed to protect customers’ A-GPS data from unauthorized commercial 

use. 

220. When the FCC authorized telecommunication carriers, including AT&T, to use A- 
GPS technology for E911 purposes, it required the carriers to certify that “any data associated 
with the NEAD may not be used for any non-911 purpose, except as otherwise required by 
law.”234 

221. While the collection and use of A-GPS data was allowed under the E911 and 
public safety exceptions of the ECA, any other use would violate the FCA and its corresponding 
regulations. 


Id. at n. 100. 

Joseph Cox, “Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint 
Customer Location Data for Years,” supra at 71. 

Letter from Timothy P. McKone to U.S. Senator Ron Wyden (Eeb. 15, 2019), supra at 7. 
NEAD Implementation Order ][ 13 (emphasis added). 
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222. As industry documents confirm, AT&T allows bounty hunters, bail bondsmen, 
and other third parties to access customers’ precise, real-time A-GPS data.^^^ 

223. This A-GPS data is data associated with the NEAD, and thus commercial sale of 
the data violates federal law. 

224. In a letter to AT&T Communications CEO John Donovan, FCC Commissioner 
Jessica Rosenworcel stated, “[ujnder federal law, A-GPS data included in the [NEAD] Database 
for enhanced 911 services may not be used for any other purpose.”^^® 

225. This commercialization of data associated with the NEAD is in direct violation of 
FCC regulations. 

iii, AT&T Has Acknowledged Plaintiffs’ Right to Privacy in their 
Proprietary Information. 

226. AT&T recognizes that its customers, including Plaintiffs, have an expectation of 
privacy in their proprietary data. 

227. As AT&T admits to its customers, “It is your right and our duty under federal law 
to protect the confidentiality of your CPNI.”^^^ 

228. AT&T has also previously faced an FCC enforcement action, and paid a $25 

million civil penalty, for violations of customers’ privacy. In 2015, the FCC found that AT&T 

failed to properly protect the confidentiality of almost 280,000 customers’ CPNI in connection 
with data breaches at AT&T call centers in Mexico, Columbia, and Philippines. AT&T 
employees had improperly used login credentials to access customer accounts and access 


235 “Big Telecom Sold Highly Sensitive Customer GPS Data Typically Used for 911 Calls,” 
supra at 71. 

Letter from Commissioner Jessica Rosenworcel to John Donovan (CEO AT&T 
Communications) (May 1, 2019), available at 

https://www.documentcloud.org/documents/5985428-FCC-Commissioner-Rosenworcel-letters- 

to-Telecom.html . 

“Customer Proprietary Network Information (CPNI),” AT&T, available at 
https://about.att.com/sites/privacv policy/rights choices? gl=I*8s6v9t* gel dc*RONMLiEINT 

QxMzU4MTEuQOpqNHhJR25vLUVDRlZIOHN3b2R6RWNJLWc.#cpni . 

In the Matter of AT&T Servs., Inc., 30 F.C.C. Red. 2808 (2015). 

23*^ M atTl 1. 
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customer information that could be used to unloek the eustomers’ deviees7'^‘^ The employees 
then sold the information they obtained from the breaches to a third party7"^^ 

229. The FCC concluded that AT&T’s “failure to reasonably seeure customers’ 
proprietary information violates a earrier’s statutory duty under Communications Act to protect 
that information, and also constitutes an unjust and unreasonable praetiee in violation of the 
Aet.”242 

230. The FCC stressed that the FCA is intended to “ensure that consumers ean trust 
that earners have taken appropriate steps to ensure that unauthorized persons are not aeeessing, 
viewing or misusing their personal information.”It stressed its expeetation that 
“teleeommunieations earners sueh as AT&T... take ‘every reasonable preeaution’ to proteet their 
eustomers’ datal.]”^^^'^ 

231. Asa condition of its stipulated Consent Deeree, AT&T agreed to develop and 
implement a eomplianee plan to ensure appropriate safeguards to proteet eonsumers against 
similar breaehes by improving its privacy and data security practices. 

232. This FCC enforeement aetion underseores AT&T’s familiarity with the sensitive 
nature of eustomer CPNI, and its duties to proteet and safeguard that data. 

H, AT&T’s Misrepresentations and Omissions Concerning the Sale of Customer 
Location Data. 

233. AT&T’s false representations eoneeming sale of aeeess to Plaintiffs’ and Class 
members’ real-time loeation data eompounds the outrageousness of its eonduet. 

234. AT&T’s Privacy Policy, and the “Privaey Commitments” included therein, falsely 
represents and fails to disclose material information about its routine sale of aeeess to eustomers’ 
loeation data. 


Id. atl[117, 11. 

Id. atTl 1. 

Id. atT12. 

^^^Id. 

245 m at 1(112, 17-18,21. 
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235. In its Privacy Policy, AT&T promises not to sell customers’ personal information 
and to proteet customers’ privaey and personal information. AT&T further pledges that it will 
allow Plaintiffs and Class members to eontrol how their data is used. These representations 
ereated an expeetation among Plaintiffs and Class members that their real-time loeation data 
would not be sold, that such data would be protected from unauthorized diselosure, and that they 
could control how and when sueh data was aceessed. Figure 4, immediately below, is an excerpt 
from AT&T’s Privacy Policy. 

Our Privacy Commitments 

Our privacy commitments are fundamental to the way we do business 
every day. These apply to everyone who has a relationship with us - 
including customers (wireless, Internet, digital TV, and telephone) and 
Web site visitors. 

• We will protect your privacy and keep your personal information safe. We 
use encryption and other security safeguards to protect customer data. 

• We will not sell your personal information to anyone, for any purpose. 

Period. 

• We will fully disclose our privacy policy in plain language, and make our 
policy easily accessible to you. 

• We will notify you of revisions to our privacy policy, in advance. No 
surprises. 

• You have choices about how AT&T uses your information for marketing 
purposes. Customers are in control. 

• We want to hear from you. You can send us questions or feedback on 
our privacy policy. 

Figure 

236. AT&T’s representation that it “use[s] eneryption and other security safeguards to 
protect customer data” is false and misleading. 


“Our Privacy Commitments,” AT&T (Feb. 15, 2019), available at 
https://about.att.com/sites/privacv policy . 
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237. As alleged above in Section B, AT&T allowed its agent LocationSmart to store 
customers’ personal information—in the form of real-time location data—in a manner that 
allowed it to be easily accessed without any customer consent or legal authority by “[ajnyone 
with a modicum of knowledge about how Web sites workl.]”^"^^ AT&T’s statement that it would 
use encryption and other security safeguards to protect customers’ data is therefore a material 
misrepresentation. 

238. As alleged above in Section E, AT&T failed to establish a consent mechanism 
that verified proper authorization before customers’ location data was disclosed to third parties. 
AT&T’s statement that it would use encryption and other security safeguards to protect 
customers’ data is therefore a material misrepresentation. 

239. AT&T’s representation that it “will protect [customers’] privacy and keep [their] 
personal information safe” is false and misleading. 

240. As alleged above in Section E, AT&T failed to establish a consent mechanism 
that verified proper authorization before customers’ location data was disclosed to third parties. 
Real-time location data is personal information. AT&T’s statement that it would protect 
customers’ privacy and keep their personal information safe is therefore a material 
misrepresentation. 

241. AT&T’s representation that it “will not sell [customers’] personal information to 
anyone, for any purpose. Period” is false and misleading. 

242. As alleged above in Sections C-E, AT&T routinely sold access to customers’ real¬ 
time location data to the Aggregator Defendants and countless additional third parties. Real-time 
location data is personal information. AT&T’s statement that it would not sell customers’ 
personal information is therefore a material misrepresentation. 

243. AT&T also makes numerous false or misleading representations concerning its 
treatment of customers’ data that qualifies as CPNI under the EGA. 


Brian Krebs, “Tracking Eirm EocationSmart Eeaked Eocation Data for Customers of All 
Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site,” supra at 42. 
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244. AT&T explicitly and falsely represents to customers in its Privacy Policy that it 

does not “sell, trade or share” their CPNI without legal authority: 

We do not sell, trade or share your CPNI with anyone outside of 
the AT&T family of companies* or our authorized agents, unless 
required by law (example: a court order). 

245. As alleged above in Sections B-E, AT&T routinely provided access to customers’ 
CPNI, in the form of real-time location information to additional third parties through the 
Aggregator Defendants. This use was not required by law. 

246. AT&T also states that it only uses CPNI “internally” and its only disclosed use of 
CPNI is “among the AT&T companies and our agents in order to offer you new or enhanced 

* 9^249 

services. 

247. Additionally, while the Aggregator Defendants are AT&T’s agents, the use of 
customer location data described herein was not for “internal” AT&T purposes, nor was it used 
to market AT&T services to Plaintiffs and Class members. AT&T’s statements regarding the sale 
and/or use of customer CPNI are therefore material misrepresentations. Its failure to disclose its 
sale of access to customers’ CPNI, in the form of location data, is a material omission. 

248. AT&T also falsely represents that it “uses technology and security features, and 
strict policy guidelines with ourselves and our agents, to safeguard the privacy of CPNI.”^^° 

249. As alleged above in Section B, AT&T’s agent, LocationSmart, did not 
appropriately safeguard the privacy of AT&T customers’ CPNI. Instead, it stored customer CPNI 
in such a way that unauthorized access was easily obtained by “[ajnyone with a modicum of 
knowledge about how Web sites work.”^^^ AT&T’s statements regarding the technology and 
security features it uses to safeguard customer CPNI are therefore material misrepresentations. 


Ex. A (privacy policy) at 31. The “AT&T family of companies” is defined “those companies 
that provide voice, video and broadband-related products and/or services domestically and 
internationally, including the AT&T local and long distance companies, AT&T Corp., AT&T 
Mobility, DIRECTV, and other subsidiaries or affiliates of AT&T Inc. that provide, design, 
market, or sell these products and/or services.” Id. at 32. 

24“^ Id. at 32. 

^^^Id. 

Brian Krebs, “Tracking Firm LocationSmart Leaked Location Data for Customers of All 
Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site,” supra at 42. 
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250. As alleged above in Section C, AT&T and its agent, LocationSmart, also failed to 
safeguard customers’ CPNI when they provided access to customer location data to companies 
who failed to obtain consent or valid legal authority for such access. AT&T’s statements 
regarding the technology and security features it uses to safeguard customer CPNI are therefore 
material misrepresentations. 

251. AT&T has admitted that its customers’ location data was used in ways that 
violated its policies. A spokesperson for AT&T admitted that the sale of location data to bounty 
hunters “would violate [AT&T’s] contract and Privacy Policy.”^^^ 

252. In response to public reporting about its routine sale of customers’ real-time 
location data, AT&T made numerous false public statements. 

253. AT&T repeatedly asserted that, despite its sale of customers’ real-time location 
data, it protected Plaintiffs and its customers from unauthorized use of their location data by only 
releasing such data when presented with customer consent or proper legal authority. As 
alleged in Section E, this representation was false. 

254. Moreover, AT&T repeatedly represented that it would stop selling access to 
Plaintiffs’ and similarly situated customers’ location data to the Aggregator Defendants and all 
third parties. These representations were false. 

255. In June 2018, AT&T stated that it had taken “prompt steps to protect customer 
data” and ended Securus’ access to customer location data.^^"^ In a public statement around the 
same time, AT&T stated that its “top priority [was] to protect our customers’ information and, to 
that end, [it would] be ending [its] work with aggregators for these services as soon as practical 


Joseph Cox, “I Gave a Bounty Hunter $300. Then He Located Our Phone,” supra at 57. 

In a June 2018 letter to Senator Wyden’s office, AT&T represented that it “authorized third 
parties to access customer location data... only where a customer consents to such disclosure 
except in limited cases where a specific provision of law or regulation requires or authorizes 
access.” See Letter from Timothy P. McKone (AT&T Services, Inc.) to U.S. Senator Ron 
Wyden (June 15, 2018), supra at 51. 

^^Ud. 
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in a way that preserves important, potential lifesaving services like emergency roadside 
assistance. 

256. But on January 10, 2019, AT&T admitted that it had not ended the sale of real¬ 
time location data to location aggregators—despite its statements in June 2018 to the contrary— 
but insisted that it was now planning to end all customer location data sales in response to the 
January 2019 reporting. But AT&T again hedged, estimating the sales would not conclude 
until March 2019.^^^ 

257. AT&T’s sale of customer location data continued. As Senator Wyden explained, 

“[w]e catch them in 2018, they claim that they’re going to stop—not a whole lot of qualifiers, 
they just say, ‘We’re going to stop’—and then we had Joe Cox and the good folks at 
Motherboard basically get a bounty hunter, give them a couple hundred bucks, and we saw that 
at least three of the four major carriers [including AT&T] had basically fed the American 
consumer a bunch of baloney.” “[Tjhey made these promises to me in writing in 2018. Now, 

they’re making these promises again, and so... permit me to be a little bit skeptical. I’ll believe it 
when I actually see it. And there is a real pattern now in the technology space where essentially 
these companies get caught in irresponsible conduct... they apologize... and they pledge it won’t 
happen again. But of course, it does it happen again. You can almost set your clock by it.”^^^ 


Jon Brodkin, “Verizon and AT&T Will Stop Selling Your Phone’s Location to Data 
Brokers,” Ars Technica (June 19, 2018), available at https://arstechnica.com/tech- 
policv/2018/06/verizon-and-att-will-stop-selling-vour-phones-location-to-data-brokers/; Brian 

Fung, “Verizon, AT&T, T-Mobile and Sprint Suspend Selling of Customer Location Data After 
Prison Officials Were Caught Misusing It,” The Washington Post (June 19, 2018), available 
at https://www.washingtonpost.com/news/the-switch/wp/2018/06/I9/verizon-will-suspend-sales- 

of-customer-location-data-after-a-prison-phone-company-was-caught-misusing- 

it/?noredirect=on&utm term=.4f7da64cl 108 . 

Joseph Cox, “Google Demanded That T-Mobile, Sprint Not Sell Google Fi Customers' 
Location Data,” Motherboard (Jan. 11, 2019), available at 

https://motherboard.vice.com/en us/article/d3bnvv/google-demanded-tmobile-sprint-to-not-sell- 

google-Fi-customers-location-data . 

Alfred Ng, “AT&T is Cutting Off All Location-Data Sharing Ties in March,” CNET (Jan. 11, 
2019), available at https://www.cnet.com/news/at-t-is-cutting-off-all-location-data-sharing-ties- 
by-march/. 

“I Gave a Bounty Hunter $300. Then He Located Our Phone,” Cyber Podcast, supra at 113. 
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258. Plaintiffs and AT&T customers therefore have no reason to believe AT&T’s 
continuous representations that it would or will end the sale of real-time location data are 
eredible. 

259. Public reporting also shows that AT&T’s representations throughout 2018 and 
early 2019—that sales of customers’ location data were isolated incidents—^were false, and were 
intended to conceal the nature and scope of AT&T’s location data practices. 

260. In response to the latest round of reporting in February and Mareh of 2019, 
Senator Wyden stressed the wireless carriers’ misrepresentations about the sale of their 
customers’ location data. “Carriers assured customers location tracking abuses were isolated 
incidents. Now it appears that hundreds of people could track our phones, and they were doing it 
for years before anyone at the wireless companies took action,” the Senator stated. “That’s 
more than an oversight—that’s flagrant, wil[l]ful disregard for the safety and security of 
Americans. 

261. AT&T’s misrepresentations and omissions concerning its sale of access to and 
safeguarding of customers’ real-time location data were material. As alleged in Section G, a 
reasonable person would attaeh importanee to the privacy of her sensitive location data in 
determining whether to contract with a wireless eell phone provider. 

262. AT&T was obligated to diselose the nature of its location data sales practiees, as 
AT&T had exclusive knowledge of material faets not kn own or knowable to its customers, AT&T 
actively concealed these material facts from its customers, and sueh diselosures were necessary 
to materially qualify its representations that it did not sell and took measures to protect consumer 
data and its partial disclosures concerning its use of customers’ CPNI. Further, AT&T was 
obligated to disclose its praetices under the FCA. 

263. Areasonable person would be deceived and misled by AT&T’s 
misrepresentations, which clearly indicated that AT&T would not sell, and would in fact 


Joseph Cox, “Big Telecom Sold Highly Sensitive Customer GPS Data Typically Used for 911 
Calls,” supra at 71. 

2^' Id. 
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safeguard, its customers’ personal information and CPNI. Reasonableness is heightened here, 
where AT&T purported to disclose the uses for which it accessed customers’ CPNI but failed to 
include therein the location data sales described herein, making its partial representations likely 
to mislead or deceive. 

264. AT&T intentionally misled its customers regarding its location data practices in 
order to attract customers and evade prosecution for its unlawful acts, while also profiting 
unfairly from the sale of customer location data. 

265. AT&T’s representations in its privacy policies that it protected customers’ 
personal information, when in fact it did not, were false, deceptive, and misleading and therefore 
a violation of Section 201(b) of the FCA. 

I, Fraudulent Concealment and Tolling, 

266. The applicable statutes of limitations are tolled by virtue of Defendants’ knowing 
and active concealment of the facts alleged above. 

267. Plaintiffs and Class members were ignorant of the information essential to the 
pursuit of these claims, without any fault or lack of diligence on their own part. The sale of 
location data, as detailed in this complaint, was not known or knowable to AT&T customers and 
occurred invisibly to them when using their phones. Due to the surreptitious nature of 
Defendants’ activities, they were difficult if not impossible for Plaintiffs and other AT&T 
customers to discover. 

268. At the time the action was filed. Defendants were under a duty to disclose the true 
character, quality, and nature of their activities to Plaintiffs and Class members. Defendants are 
therefore estopped from relying on any statute of limitations. 

269. Defendants’ fraudulent concealment is common to the class. 

J, Named Plaintiff Allegations, 

270. Plaintiffs Scott, Jewel, and Pontis did not know—and indeed could not have 
known—and did not consent to AT&T’s sale of their sensitive, real-time location data to the 
Aggregator Defendants and other third parties. 

See In the Matter ofTerracom, Inc. & Yourtel Am., Inc., 29 F.C.C. Red. 13325 T112 (2014). 
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271. When selecting and maintaining their AT&T wireless accounts, Plaintiffs relied 
upon their reasonable expectation—established at least in significant part by AT&T’s own 
representations—that their data would be safeguarded by AT&T and would not be sold. 

272. Plaintiffs are highly privacy-conscious individuals who place value in their ability 
to select when and how their location data is used and by whom. Had Plaintiffs known about 
the real-time location practices complained of herein, they would not have signed up for AT&T 
wireless cell phone service or would have paid less for its services. 

273. Plaintiffs were also harmed by the (i) unauthorized use of their AT&T wireless 
data, and (ii) the resulting drains on their devices’ battery. 

274. Plaintiffs pay for a limited amount of mobile data from AT&T each month. As 
LocationSmart admits, when a device’s real-time location is accessed, “data or messaging 
charges may be incurred” by the customer, including Plaintiffs. LocationSmart makes clear 
that a third-party’s “location request may use data services to deliver data from the phone to the 
carrier network in response to a location request, which may incur data charges according to the 
individual’s wireless service plan.”^^"* As a result, in addition to having their private locations 
accessed. Plaintiffs and Class members are not getting the optimal performance of the mobile 
devices and carrier data packages they purchased, and which are marketed, in part, based on their 
speed, performance, and battery life. 

275. Plaintiffs were also harmed by Defendants’ failure to adopt reasonable security 
practices to reduce the risk of theft of their personal data. As California courts have recognized, 
a company’s security practices have economic value. In subscribing to AT&T wireless services. 
Plaintiffs were informed of and relied upon AT&T’s assertions that it and its partners would 
safeguard their data. Had Plaintiffs known that AT&T would not properly safeguard their real¬ 
time location data. Plaintiffs would not have subscribed to AT&T wireless services, or would 
have paid less for those services. 

V. CLASS ALLEGATIONS 

263 “paQs,” LocationSmart, supra at 89. 
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276. Plaintiffs bring this class action, pursuant to Rule 23 of the Federal Rules of Civil 

Procedure, individually and on behalf of all members of the following elass (“Class”): 

All natural persons who were or are AT&T wireless subscribers 
residing in California between 2011 and the present and whose 
earrier-level location data AT&T permitted or caused to be used or 
aceessed by any third party without proper authorization. 

277. Excluded from the Class are the following individuals: officers and directors of 
any Defendant and its parents, subsidiaries, affiliates, and any entity in which any Defendant has 
a controlling interest, and all judges assigned to hear any aspect of this litigation, as well as their 
immediate family members. 

278. Plaintiffs Carolyn Jewel, Katherine Scott, and George Pontis seek to represent the 

Class. 

279. This action readily satisfies the requirements set forth under Federal Rule of Civil 
Procedure 23: 

a. The Class is so numerous that joinder of all members is impraetieable. Upon 
information and belief. Class members number in the millions. 

b. The Class is readily aseertainable, as each member is or was a customer of AT&T, 
and thus can be identified by AT&T’s business records and related doeuments. 

e. There are questions of law or fact common to the Class. These questions include, 
but are not limited to, the following; 

i. Whether the Aggregator Defendants acted as agents of AT&T; 

ii. Whether AT&T and its agents’ acts, omissions, and practices eomplained 
of herein amount to a violation of their duty to protect their customers’ 
CPNI, in violation of the FCA; 

iii. Whether the location data described herein is “CPNI” under the FCA; 

iv. Whether AT&T properly obtained consent and/or legal authority before 
allowing the Aggregator Defendants to aceess Plaintiffs’ and Class 
members’ CPNI; 
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V. Whether AT&T and its agents properly obtained consent and/or legal 
authority before allowing third parties to access Plaintiffs’ and Class 
members’ CPNI; 

vi. Whether AT&T provided proper notice before accessing or permitting 
others to access Plaintiffs’ and Class members’ CPNI; 

vii. Whether Defendants’ act and practices complained of herein amount to 
egregious breaches of social norms; 

viii. Whether Defendants acted intentionally in violating Plaintiffs’ and Class 
members’ privacy rights; 

ix. Whether AT&T and its agents had a duty to Plaintiffs and Class members 
to protect their location data, and if so, whether AT&T and/or its agents 
breached that duty; 

X. Whether AT&T made material misrepresentations or omissions to 
Plaintiffs and Class members; 

xi. Whether public injunctive relief should issue; 

xii. Whether Defendants fraudulently concealed their location data practices 
complained of herein; 

xiii. The appropriate amount of damages owed to Plaintiffs and the Class; 

xiv. Whether declaratory relief should be granted. 

d. Plaintiffs’ claims are typical of the claims of the Class in that Plaintiffs, like all 
Class members, are AT&T subscribers whose privacy rights were violated and who were 
subjected to the deceptive conduct alleged herein. 

e. Plaintiffs will fairly and adequately protect the interests of the Class. Plaintiffs’ 
interests do not conflict with the interests of the Class members. Furthermore, Plaintiffs have 
retained competent counsel experienced in class action litigation, generally, and consumer 
privacy litigation, specifically. Plaintiffs’ counsel will fairly and adequately protect and represent 
the interests of the Class. 
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f. Questions of law or fact common to the Class—including but not limited to the 
common questions outlined above—predominate over any questions affecting only individual 
Class members or Plaintiffs. 

g. A class action is superior to other available methods for fairly and efficiently 
adjudicating the controversy complained of herein. 

h. Like all Class members, Plaintiffs suffer a substantial risk of repeated injury in 
the future. AT&T has made repeated misrepresentations about when it would end the privacy- 
violative acts complained of herein, and how. Due to these continuous misrepresentations. 
Plaintiffs have no basis to believe that AT&T will cease its practices on a voluntary basis, and 
seek injunctive relief to protect the privacy rights of themselves and the Class of California 
consumers. Additionally, AT&T has not made any assurances that Plaintiffs’ and Class members’ 
historical location data will be properly secured. 

i. In acting as alleged above. Defendants have acted on ground generally applicable 
to the entire Class, thereby making relief appropriate with respect to the Class as a whole. The 
prosecution of separate actions by individual Class members would create the risk of inconsistent 
or varying adjudications with respect to individual Class members that would establish 
incompatible standards of conduct for Defendants. 

j. Injunctive relief is necessary to prevent further unlawful and unfair conduct by 
Defendants. Money damages, alone, could not afford adequate and complete relief, and 
injunctive relief is necessary to restrain Defendants from continuing to or commit its illegal and 
unfair violations of privacy and to require Defendants to take accurate steps to ensure that any 
current or historical location data is properly safeguarded and secured. 

VI. CLAIMS FOR RELIEF 

COUNTI 

Violations of The Communications Act, 47 U.S.C, § 201 et seq. 

(As to Defendant AT&T) 

280. Plaintiffs reallege and incorporate all of the preceding paragraphs as though fully 
set forth in this cause of action. 
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281. AT&T has violated 47 U.S.C. § 222(a) by failing to protect the confidentiality of 
Plaintiffs’ and Class members’ CPNl in the form of precise, real-time location data, as detailed 
herein. AT&T has also caused and/or permitted the Aggregator Defendants to fail to protect 
Plaintiffs’ and Class members’ precise, real-time location data, as detailed herein. 

282. AT&T has violated 47 U.S.C. § 222(c) by using, disclosing, and/or permitting 
access to Plaintiffs’ and Class members’ CPNl in the form of precise, real-time location 
information to the Aggregator Defendants and other third parties without the notice, consent, 
and/or legal authorization required under the FCA, as detailed herein. AT&T also caused and/or 
permitted the Aggregator Defendants and other third parties to use, disclose, and/or permit access 
to Plaintiffs’ and Class members’ CPNl in the form of precise, real-time location information 
without the notice, consent, and/or legal authorization required under the FCA, as detailed 
herein. 

283. AT&T has violated 47 U.S.C. § 222(f) by using, disclosing, and/or permitting 
access to Plaintiffs’ and Class members’ geolocation data without the express prior authorization 
of Plaintiffs and Class members, as detailed herein. AT&T has also caused and/or permitted the 
Aggregator Defendants to use, disclose, and/or permit access to Plaintiffs’ and Class members’ 
geolocation data without the express prior authorization of Plaintiffs and Class members, in 
violation of the FCA. 

284. Plaintiffs and Class members have suffered injury to their person, property, 
health, and/or reputation as a consequence of AT&T’s violations of the FCA. Plaintiffs and 
Class members have been harmed by the unauthorized access to their CPNl and personal 
information, the use of their wireless data—^which they purchased from Defendant AT&T— 
without their consent, and AT&T’s failure to secure any past location data obtained about the 
Plaintiffs. Additionally, Plaintiffs and Class members have suffered emotional damages, 
including emotional distress, mental anguish, and suffering, as a result of Defendants’ acts and 
practices. Plaintiffs would not have purchased, or would have paid less for, AT&T wireless 
services had they kn own their location data could be sold to third parties. 
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285. Plaintiffs, individually and on behalf of the Class, seek the full amount of 
damages sustained by Plaintiffs and Class members as a consequence of AT&T’s violations of 
the FCA, together with reasonable attorney’s fee, to be fixed by the Court and taxed and 
collected as part of the costs of the case. 47 U.S.C. § 206. Plaintiffs and the Class also move for 
a writ of injunction or other proper process, mandatory or otherwise, to restrain Defendant AT&T 
and its officers, agents, or representatives from further disobedience of the FCC’s orders on the 
privacy and protection of CPNI, including but not limited to the FCC’s 2007 CPNI Order and the 
NEAD Implementation Order, or to enjoin them obedience to the same. 47 U.S.C. § 401(b). 

COUNT II 

Violations of The California Unfair Competition Law (“UCL”), California Business & 

Professional Code § 17200 et seq. 

(As to Defendant AT&T) 

286. Plaintiffs reallege and incorporate all of the preceding paragraphs as though fully 
set forth in this cause of action. 

287. California's Unfair Competition Law (UCL) prohibits any “unlawful, unfair or 
fraudulent business act or practice.” Cal. Bus. & Prof Code § 17200. 

288. AT&T made material misrepresentations and omissions concerning its sale of 
access to and safeguarding of customers’ real-time location data. As alleged in Section G, a 
reasonable person would attach importance to the privacy of her sensitive location data in 
determining whether to contract with a wireless cell phone provider. 

289. AT&T had a duty to disclose the nature of its location data sales practices. AT&T 
had exclusive knowledge of material facts not kn own or knowable to its customers and AT&T 
actively concealed these material facts from its customers. Lurther, additional disclosures were 
necessary to materially qualify its representations that it did not sell consumer data, and took 
measures to protect that data, and its partial disclosures concerning its use of customers’ CPNI. 
AT&T was obligated to disclose—and seek opt-in consent from customers for—its practices, as 
required by the LCA. The intensity of the public outcry—including from U.S. Senators— 
underscores the materiality of the AT&T’s omissions. 
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290. A reasonable person would be deceived and misled by AT&T’s 
misrepresentations, which indicated that AT&T would not sell, and would in fact safeguard, its 
customers’ personal and proprietary information. Reasonableness is heightened here, where 
AT&T purported to disclose the uses for which it accessed customers’ CPNI but failed to include 
the location data sales described here, making its partial representations likely to mislead or 
deceive. 

291. AT&T intentionally misled its customers regarding its location data practices in 
order to attract customers and evade prosecution for its unlawful acts, while also profiting 
unfairly from the sale of customer location data. 

292. Defendants’ actions detailed herein constitute an unlawful business act or practice. 
As alleged herein. Defendants’ conduct is a violation of the California constitutional right to 
privacy, the FCA, the CLRA, and constitutes an intrusion upon seclusion. 

293. Defendants’ actions detailed herein constitute an unfair business act or practice. 

294. Defendants’ conduct lacks reasonable and legitimate justification in that 
Defendants have benefited from such conduct and practices, while Plaintiffs and Class members 
have been misled as to the nature and integrity of Defendants’ goods and services and have, in 
fact, suffered injury regarding the privacy and confidentiality of their location information and 
the use of their device resources. 

295. The gravity of the harm of AT&T’s practices—the violations to consumers’ 
reasonable expectations or privacy, as well as customers’ loss of property and/or money—far 
outweigh the utility of Defendants’ conduct, which was largely a profit-making scheme. 
Defendants’ practices were contrary to the letter and the spirit of the FCA and its corresponding 
regulations, which require cell carriers to only disclose customers’ CPNI upon proper notice, 
consent, and authorization, and aims to vest carrier customers with control over their data. Due 
to the surreptitious nature of Defendants’ actions. Plaintiffs and Class members could not have 
reasonably avoided—and still cannot reasonably avoid—the privacy and economic harms 
incurred as a result. 
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296. As the FCA establishes, it is against public policy to sell wireless customer 
location data without the opt-in consent of the customer or verified legal authority. The effects 
of AT&T’s conduct are comparable to or the same as a violation of the FCA. Further, it offends 
California public policy as reflected in the right to privacy enshrined in the state constitution and 
California statutes and common law torts—including intrusion upon seclusion—recognizing the 
need to protect consumers’ privacy and to allow consumers to safeguard their privacy interests. 

297. Defendants’ actions detailed herein constitute a fraudulent business act or 
practice. 

298. As established herein. Plaintiffs have suffered injury in fact and economic harm as 
a result of AT&T’s unfair competition. Had AT&T disclosed the true nature and extent of its sale 
of access to its customers’ real-time location data and the effect such practices had on customers’ 
data plans, batteries, and privacy. Plaintiffs would have been aware and would not have 
subscribed to or paid as much money for AT&T’s wireless services. 

299. Plaintiffs, individually and on behalf of the Class, seek injunctive and declaratory 
relief for AT&T’s violations of the UCL. PlaintiiTs seek public injunctive relief against AT&T’s 
unfair and unlawful practices in order to protect the public and restore to the parties in interest 
money or property taken as a result of AT&T’s unfair competition. Plaintiffs and the Class seek 
a mandatory cessation of AT&T’s practices and proper safeguarding of current and historical 
location data. 

COUNT III 

Intrusion Upon Seclusion 
(As to All Defendants) 

300. Plaintiffs reallege and incorporate all of the preceding paragraphs as though fully 
set forth in this cause of action. 

301. One who intentionally intrudes, physically or otherwise, upon the solitude or 
seclusion of another or his private affairs or concerns, is subject to liability to the other for 
invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” 
Restatement (Second) of Torts, § 652B. 
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302. Plaintiffs and Class members have reasonable expectations of privacy in their 
mobile devices and their location data. 

303. The reasonableness of Plaintiffs’ and Class members’ expectations of privacy is 
supported by AT&T and its agents’—the Aggregator Defendants’—unique position to monitor 
Plaintiffs’ and Class members’ behavior through its access to Plaintiffs’ and Class members’ 
private mobile devices. It is further supported by the surreptitious and non-intuitive nature of 
Defendants’ tracking. 

304. Defendants intentionally intruded on and into Plaintiffs’ and Class members’ 
solitude, seclusion, or private affairs by allowing third parties to access Plaintiffs’ and Class 
members’ real-time location without proper notice, consent, or authority. 

305. These intrusions are highly offensive to a reasonable person. This is evidenced by 
federal legislation enacted by Congress, state constitutional law, common law. Supreme Court 
precedent, rules promulgated and enforcement actions undertaken by the FCC, and countless 
studies, op-eds, and articles decrying surreptitious location tracking. 

306. The offensiveness of Defendants’ conduct is heightened by AT&T’s material 
misrepresentations to Plaintiffs and Class Members concerning the sale, security, and 
safeguarding of their location data, as alleged above. 

307. Plaintiffs and Class members were harmed by the intrusion into their private 
affairs, as detailed throughout this Complaint. 

308. Defendants’ actions and conduct complained of herein were a substantial factor in 
causing the harm suffered by Plaintiffs and Class members. 

309. Asa result of Defendants’ actions. Plaintiffs and Class members seek damages 
and punitive damages in an amount to be determined at trial. Plaintiffs and Class members seek 
punitive damages because Defendants’ actions—which were malicious, oppressive, and willful— 
were calculated to injure Plaintiffs and Class members and made in conscious disregard of 
Plaintiffs’ and Class members’ rights. Punitive damages are warranted to deter the Defendants 
from engaging in future misconduct. 
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310. Plaintiffs seek restitution for the unjust enrichment obtained by Defendants as a 
result of unlawfully collecting Plaintiffs’ location data. These intrusions are highly offensive to a 
reasonable person. Further, the extent of the intrusion cannot be fully known, as the nature of 
privacy invasion involves sharing Plaintiffs’ and Class members’ personal information with 
potentially countless third parties, known and unknown, for undisclosed and potentially 
unknowable purposes. Also supporting the highly offensive nature of Defendants’ conduct is the 
fact that Defendants’ principal goal was to surreptitiously track Plaintiffs and Class members and 
to allow third parties to do the same, all for the sake of profit. 

311. Plaintiffs, individually and on behalf of the Class, seek the full amount of 
damages sustained by Plaintiffs and Class members as a consequence of AT&T’s intrusion upon 
their seclusion, as well as declaratory and injunctive relief 

COUNT IV 

Violations of the California Constitutional Right to Privacy 
(As to All Defendants) 

312. Plaintiffs reallege and incorporate all of the preceding paragraphs as though fully 
set forth in this cause of action. 

313. The California Constitution declares that “All people are by nature free and 
independent and have inalienable rights. Among these are enjoying and defending life and 
liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, 
happiness, and privacy.” Cal. Const. Art. I, § 1. 

314. Plaintiffs’ and Class members’ have a reasonable expectation of privacy in their 
location data. 

315. Defendants intentionally intruded on and into Plaintiffs’ and Class members’ 
solitude, seclusion, or private affairs by allowing third parties, including the Aggregator 
Defendants, to access Plaintiffs’ and Class members’ real-time location without proper consent or 
authority. 

316. The reasonableness of Plaintiffs’ and Class members’ expectations of privacy is 
supported by AT&T and its agents’—the Aggregator Defendants’—unique position to monitor 

Plaintiffs’ and Class members’ behavior through its access to Plaintiffs’ and Class members’ 
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private mobile devices. It is further supported by the surreptitious nature of Defendants’ 
tracking. 

317. These intrusions are highly offensive to a reasonable person. This is evidenced by 
federal legislation enacted by Congress, state constitutional law, common law. Supreme Court 
precedent, rules promulgated and enforcement actions undertaken by the FCC, and countless 
studies, op-eds, and articles decrying surreptitious location tracking. 

318. The offensiveness of Defendants ’ conduct is heightened by AT&T ’ s material 
misrepresentations to Plaintiffs and Class Members concerning the sale, security, and 
safeguarding of their location data. 

319. Plaintiffs and Class members were harmed by the intrusion into their private 
affairs as detailed throughout this Complaint. 

320. Defendants’ actions and conduct complained of herein were a substantial factor in 
causing the harm suffered by Plaintiffs and Class members. 

321. As a result of Defendants’ actions. Plaintiffs and Class members seek nominal and 
punitive damages in an amount to be determined at trial. Plaintiffs and Class members seek 
punitive damages because Defendants’ actions—^which were malicious, oppressive, willful— 
were calculated to injure Plaintiffs and made in conscious disregard of Plaintiffs’ rights. Punitive 
damages are warranted to deter Defendants from engaging in future misconduct. 

COUNT V 
(Negligence) 

(As to Defendant AT&T) 

322. Plaintiffs reallege and incorporate all of the preceding paragraphs as though fully 
set forth in this cause of action. 

323. AT&T owed a duty to Plaintiffs and Class members—arising from the sensitivity 
of real-time location data and the foreseeability of harm to Plaintiffs and Class members should 
AT&T fail to safeguard and protect such data—to exercise reasonable care in safeguarding their 
sensitive personal information. This duty included, among other things, designing, maintaining, 
monitoring, and testing AT&T’s and its agents’, partners’, and independent contractors’ systems, 
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protocols, and practices to ensure that Plaintiffs’ and Class members’ information was adequately 
secured from unauthorized access. 

324. AT&T’s privacy policies acknowledged its duty to adequately protect Plaintiffs’ 
and Class members’ location data. 

325. AT&T owed a duty to Plaintiffs and Class members to implement a system to 
safeguard against and detect unauthorized access to Plaintiffs’ and Class members’ data in a 
timely manner. 

326. AT&T owed a duty to disclose the material fact that its data security practices 
were inadequate to safeguard Plaintiffs’ and Class members’ location data from unauthorized 
access and that it was allowing access to Plaintiffs’ and Class members’ location data to the 
Aggregator Defendants and other third parties, as detailed herein. 

327. AT&T had independent duties under the FCA and its corresponding regulations, 
as detailed above in Section G, which required AT&T to reasonably safeguard Plaintiffs’ and 
Class members’ location data and promptly notify them of any unauthorized accesses. 

328. AT&T had a special relationship with Plaintiffs and Class members due to its 
status as their telecommunications carrier, whieh provided an independent duty of care. 

Plaintiffs’ and other Class members’ willingness to contract with AT&T, and thereby entrust 
AT&T with their location data, was predicated on the understanding that AT&T would undertake 
adequate security and consent precautions. Moreover, AT&T had the ability to protect its 
systems and the location data it stored on them from unauthorized access. 

329. AT&T breached its duties by, inter alia: (a) failing to implement and maintain 
adequate security practices to safeguard Plaintiffs’ and Class members’ location data; (b) failing 
to detect unauthorized accesses in a timely manner; (c) failing to disclose that AT&T’s data 
security practices were inadequate to safeguard Plaintiffs’ and Class members’ location data; (d) 
failing to provide adequate and timely notice of unauthorized access; and (e) failing to disclose 
its sale of access to Plaintiffs’ and Class members’ data. 

330. But for AT&T’s breaches of its duties. Plaintiffs’ and Class members’ location 

data would not have been accessed by unauthorized individuals. 
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331. Plaintiffs and Class members were foreseeable victims of AT&T’s inadequate data 
security practices and consent mechanisms. AT&T knew or should have known that 
unauthorized accesses would cause damage to Plaintiffs and Class members. 

332. AT&T’s negligent conduct provided a means for unauthorized individuals to track 
Plaintiffs’ and the Class’s locations. 

333. As a result of AT&T’s willful failure to prevent unauthorized accesses, Plaintiffs 
and Class members suffered injury, which includes, but is not limited to: (i) past privacy 
violations arising from the unauthorized sale of their location data to the Aggregator Defendants 
and other third parties, (ii) exposure to a heightened, imminent risk of ongoing harms to their 
safety, security, privacy rights, and property rights, and (iii) financial harm, including but not 
limited to unauthorized use of their limited mobile data, for which they pay AT&T. 

334. The damages to Plaintiffs and the Class members were a proximate, reasonably 
foreseeable result of AT&T’s breaches of its duties. 

335. Therefore, Plaintiffs and Class members are entitled to damages in an amount to 
be proven at trial. 

COUNT VI 

Violations of California’s Consumers Legal Remedies Act (“CLRA”), California Civil 

Code § 1750 et seq. 

(As to AT&T) 

336. Plaintiffs reallege and incorporate all of the preceding paragraphs as though fully 
set forth in this cause of action. 

337. AT&T has engaged in unfair methods of competition and unfair or deceptive acts 
or practices intended to result and which did result in the sale of services to Plaintiffs and other 
California consumers, as detailed herein. 

338. AT&T’s acts and representations concerning its sale of access to its customers’ 
real-time location data, and the safeguards around that data, is likely to mislead reasonable 
consumers, including Plaintiffs and members of the Class, as detailed herein. 

339. AT&T has represented that its goods or services have characteristics, benefits, 
and/or quantities that they do not have. Cal. Civ. Code § 1770(a)(5). Specifically, as AT&T 
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represented that, in purehasing AT&T wireless eell serviee and using AT&T-eompatible phones, 
Plaintiffs’ and Class members’ loeation data would be safeguarded and proteeted as outlined in 
Seetion H, and AT&T would not sell its eustomers’ personal information. In aetuality, as alleged 
in Seetions B-E, AT&T’s wireless serviee did not protect and/or safeguard Plaintiffs’ and Class 
members’ location data from unauthorized access, and AT&T did in fact sell customers’ personal 
information, as detailed herein. 

340. AT&T’s misrepresentations and omissions concerning its sale of access to and 
safeguarding of customers’ real-time location data were material. As alleged in Section G, a 
reasonable person would attach importance to the privacy of her sensitive location data in 
determining whether to contract with a wireless cell phone provider. AT&T was obligated to 
disclose the nature of its location data sales practices, as AT&T had exclusive knowledge of 
material facts not known or knowable to its customers, AT&T actively concealed these material 
facts from its customers, and such disclosures were necessary to materially qualify its 
representations that it did not sell and took measures to protect consumer data and its partial 
disclosures concerning its use of customers’ CPNI. Further, AT&T was obligated to disclose its 
practices under the EGA. 

341. Defendants’ actions and conduct complained of herein were a substantial factor in 
causing the harm suffered by Plaintiffs and Class members. 

342. Plaintiffs, individually and on behalf of the Class, seek injunctive relief for 
AT&T’s violations of the CERA. Plaintiffs seek public injunctive relief against AT&T’s unfair 
and unlawful practices in order to protect the public and restore to the parties in interest money 
or property taken as a result of AT&T’s unfair methods of competition and unfair or deceptive 
acts or practices. Plaintiffs and the Class seek a mandatory cessation of AT&T’s practices and 
proper safeguarding of current and historical location data. 

VII. PRAYER FOR RELIEF 

343. WHEREFORE, Plaintiffs request that judgment be entered against Defendants and 
that the Court grant the following; 
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A. An order determining that this action may be maintained as a class action under 
Rule 23 of the Federal Rules of Civil Procedure, Plaintiffs are proper Class 
representatives, Plaintiffs’ attorneys shall be appointed as Class counsel pursuant 
to Rule 23(g) of the Federal Rules of Civil Procedure, and that Class notice be 
promptly issued; 

B. Judgment against Defendants for Plaintiffs’ and Class members’ asserted causes 
of action; 

C. Public injunctive relief requiring cessation of Defendants’ acts and practices 
complained of herein pursuant to, inter alia, Cal. Bus. & Prof Code § 17200, 47 
U.S.C. § 401(b), and Cal. Civ Code § 1780; 

D. Pre- and post-judgment interest, as allowed by law; 

E. An award of monetary damages, including punitive damages; 

F. Reasonable attorneys’ fees and costs reasonably incurred, including but not 
limited to attorneys’ fees and costs pursuant to 47 U.S.C.A. § 206; and 

G. Any and all other and further relief to which Plaintiffs and the Class may be 
entitled. 

DEMAND FOR JURY TRIAL 

Plaintiffs demand a trial by jury of all issues so triable. 
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Dated; July 16, 2019 


Respectfully submitted, 


_/s/ Thomas D. Warren_ 

Thomas D. Warren (SBN 160921) 

twarren@piercebambridge.com 

PIERCE BAINBRIDGE BECK PRICE 

& HECHT LLP 

355 S. Grand Avenue, 44th Floor 

Los Angeles, CA 90071 

Telephone; (213) 262-9333 

Facsimile; (213) 279-2008 

Deborah Renner {pro hac vice forthcoming) 

drenner@piercebainbridge.com 

Abbye R. Klamann Ognibene (SBN 311112) 

aognibene@piercebambridge.com 

Claiborne R. Hane (pro hac vice 
forthcoming) 

chane@piercebainbridge.com 
PIERCE BAINBRIDGE BECK PRICE 
& HECHT LLP 

277 Park Avenue, 45th Floor 
New York, NY 10172 
Telephone; (212) 484-9866 
Facsimile; (646) 968-4125 


Aaron Mackey (SBN 286647) 

amackev@eff.org 

Andrew Crocker (SBN 291596) 

andrew@eff.org 

Adam D. Schwartz (SBN 309491) 
adam@eff.org 

ELECTRONIC FRONTIER 
FOUNDATION 

815 Eddy Street 

San Francisco, California 94109 
Telephone; (415) 436-9333 
Facsimile; (415) 436-9993 
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